Code Security Report: 8 high severity findings, 32 total findings

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2023-07-14 09:00pm
Total Findings: 32 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 145
Detected Programming Languages: 5 (Java, Python, TypeScript, C#, R)

• Check this box to manually trigger a scan

Most Relevant Findings

The below list presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend SAST Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Path/Directory Traversal	CWE-22	Runner.cs:179	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Lines 174 to 179 in cf98c1e } // parse the linked service json source for later use string linkedServiceName = dummyTable.Properties.LinkedServiceName; var servicePath = Path.Combine(adfFilesPath, linkedServiceName + ".json"); string serviceJson = File.ReadAllText(servicePath); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 111 in cf98c1e var dataJson = File.ReadAllText(dataPath); Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 111 in cf98c1e var dataJson = File.ReadAllText(dataPath); Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 112 in cf98c1e var dummyTable = JsonConvert.DeserializeObject<Models.Table>(dataJson); Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 177 in cf98c1e string linkedServiceName = dummyTable.Properties.LinkedServiceName; Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 178 in cf98c1e var servicePath = Path.Combine(adfFilesPath, linkedServiceName + ".json"); Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 179 in cf98c1e string serviceJson = File.ReadAllText(servicePath);
High	Deserialization of Untrusted Data	CWE-502	Listall.cs:27	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/ADFv2CustomActivitySample/Listall.cs Lines 22 to 27 in cf98c1e Console.WriteLine("Start to execute custom activity V2"); // Parse activity and reference objects info from input files dynamic activity = JsonConvert.DeserializeObject(File.ReadAllText("activity.json")); dynamic linkedServices = JsonConvert.DeserializeObject(File.ReadAllText("linkedServices.json")); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/ADFv2CustomActivitySample/Listall.cs Line 27 in cf98c1e dynamic linkedServices = JsonConvert.DeserializeObject(File.ReadAllText("linkedServices.json"));
High	Deserialization of Untrusted Data	CWE-502	Listall.cs:26	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/ADFv2CustomActivitySample/Listall.cs Lines 21 to 26 in cf98c1e { Console.WriteLine("Start to execute custom activity V2"); // Parse activity and reference objects info from input files dynamic activity = JsonConvert.DeserializeObject(File.ReadAllText("activity.json")); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/ADFv2CustomActivitySample/Listall.cs Line 26 in cf98c1e dynamic activity = JsonConvert.DeserializeObject(File.ReadAllText("activity.json"));
High	Deserialization of Untrusted Data	CWE-502	Runner.cs:26	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Lines 21 to 26 in cf98c1e // Get Key Vault settings if secure publish is being used on the local machine AdfFileHelper adfFileHelper = null; string settingsFile = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.UserProfile), "SecurePublishSettings.json"); if (File.Exists(settingsFile)) { AppSettings settings = JsonConvert.DeserializeObject<AppSettings>(File.ReadAllText(settingsFile)); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/ADFCustomActivityRunner/DotNetActivityRunner/Runner.cs Line 26 in cf98c1e AppSettings settings = JsonConvert.DeserializeObject<AppSettings>(File.ReadAllText(settingsFile));
High	Deserialization of Untrusted Data	CWE-502	SettingsPageGrid.cs:84	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/ADFSecurePublish/SecurePublishMenuCommand/UserSettings/SettingsPageGrid.cs Lines 79 to 84 in cf98c1e { AppSettings settings = null; try { settings = JsonConvert.DeserializeObject<AppSettings>(File.ReadAllText(settingsFile)); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/ADFSecurePublish/SecurePublishMenuCommand/UserSettings/SettingsPageGrid.cs Line 84 in cf98c1e settings = JsonConvert.DeserializeObject<AppSettings>(File.ReadAllText(settingsFile));
High	Deserialization of Untrusted Data	CWE-502	MainWindow.xaml.cs:65	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/ADFSecurePublish/SecurePublishForm/MainWindow.xaml.cs Lines 60 to 65 in cf98c1e "SecurePublishSettings.json"); if (File.Exists(settingsFile)) { try { settings = JsonConvert.DeserializeObject<AppSettings>(File.ReadAllText(settingsFile)); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/ADFSecurePublish/SecurePublishForm/MainWindow.xaml.cs Line 65 in cf98c1e settings = JsonConvert.DeserializeObject<AppSettings>(File.ReadAllText(settingsFile));
High	Deserialization of Untrusted Data	CWE-502	DecompressFile.cs:22	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV2/UntarAzureFilesWithAzureFunction/src/ExtractFunction/DecompressFile.cs Lines 17 to 22 in cf98c1e [FunctionName("DecompressFile")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req, ILogger log) { dynamic data = JsonConvert.DeserializeObject(await new StreamReader(req.Body).ReadToEndAsync()); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV2/UntarAzureFilesWithAzureFunction/src/ExtractFunction/DecompressFile.cs Line 22 in cf98c1e dynamic data = JsonConvert.DeserializeObject(await new StreamReader(req.Body).ReadToEndAsync());
High	Cross-Site Scripting	CWE-79	JobOnHdiLauncher.java:347	2	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Lines 342 to 347 in cf98c1e try { streamReader = new BufferedReader(new InputStreamReader(inStream)); while ((line = streamReader.readLine()) != null) { printStream.println(line); 2 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 345 in cf98c1e while ((line = streamReader.readLine()) != null) Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 345 in cf98c1e while ((line = streamReader.readLine()) != null) Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 347 in cf98c1e printStream.println(line); View Data Flow 2 Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 345 in cf98c1e while ((line = streamReader.readLine()) != null) Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 345 in cf98c1e while ((line = streamReader.readLine()) != null) Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 347 in cf98c1e printStream.println(line);
Medium	Error Messages Information Exposure	CWE-209	JobOnHdiLauncher.java:184	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Lines 179 to 184 in cf98c1e } } catch (ParseException ex) { System.err.println("Error while parsing arguments ..."); ex.printStackTrace(); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 184 in cf98c1e ex.printStackTrace();
Medium	Error Messages Information Exposure	CWE-209	JobOnHdiLauncher.java:56	1	2023-07-14 09:01pm
More info Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Lines 51 to 56 in cf98c1e int exitStatus = jobOnHdiLauncher.submitJob(); System.exit(exitStatus); } catch (Exception ex) { ex.printStackTrace(); 1 Data Flow/s detected View Data Flow 1 Azure-DataFactory-00117605/SamplesV1/CustomizedJavaOnHDInsight/HDInsight-ADF/src/com/adf/jobonhdi/JobOnHdiLauncher.java Line 56 in cf98c1e ex.printStackTrace();

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Path/Directory Traversal	CWE-22	C#	1
High	Cross-Site Scripting	CWE-79	Java	1
High	Deserialization of Untrusted Data	CWE-502	C#	6
Medium	Error Messages Information Exposure	CWE-209	Java	2
Medium	Console Output	CWE-209	Java	2
Medium	Error Messages Information Exposure	CWE-209	C#	18
Medium	Console Output	CWE-209	C#	2