Code Security Report: 24 high severity findings, 140 total findings

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2023-11-06 07:51pm
Total Findings: 140 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 476
Detected Programming Languages: 2 (Java, JavaScript / Node.js)

• Check this box to manually trigger a scan

Most Relevant Findings

The below list presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend SAST Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	SQL Injection	CWE-89	Assignment5.java:60	2	2023-11-06 05:24pm
Vulnerable Code WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java Lines 55 to 60 in df0082b } if (!"Larry".equals(username_login)) { return failed(this).feedback("user.not.larry").feedbackArgs(username_login).build(); } try (var connection = dataSource.getConnection()) { PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); 2 Data Flow/s detected View Data Flow 1 WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java Line 60 in df0082b PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'"); View Data Flow 2 WebGoat/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge5/Assignment5.java Line 60 in df0082b PreparedStatement statement = connection.prepareStatement("select password from challenge_users where userid = '" + username_login + "' and password = '" + password_login + "'");
High	SQL Injection	CWE-89	SqlInjectionLesson5a.java:62	3	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Lines 57 to 62 in df0082b protected AttackResult injectableQuery(String accountName) { String query = ""; try (Connection connection = dataSource.getConnection()) { query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; try (Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE)) { ResultSet results = statement.executeQuery(query); 3 Data Flow/s detected View Data Flow 1 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 54 in df0082b return injectableQuery(account + " " + operator + " " + injection); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 54 in df0082b return injectableQuery(account + " " + operator + " " + injection); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 57 in df0082b protected AttackResult injectableQuery(String accountName) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 60 in df0082b query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 62 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 2 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 54 in df0082b return injectableQuery(account + " " + operator + " " + injection); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 54 in df0082b return injectableQuery(account + " " + operator + " " + injection); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 57 in df0082b protected AttackResult injectableQuery(String accountName) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 60 in df0082b query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 62 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 3 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 54 in df0082b return injectableQuery(account + " " + operator + " " + injection); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 54 in df0082b return injectableQuery(account + " " + operator + " " + injection); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 57 in df0082b protected AttackResult injectableQuery(String accountName) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 60 in df0082b query = "SELECT * FROM user_data WHERE first_name = 'John' and last_name = '" + accountName + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5a.java Line 62 in df0082b ResultSet results = statement.executeQuery(query);
High	SQL Injection	CWE-89	SqlInjectionLesson3.java:65	2	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java Lines 60 to 65 in df0082b protected AttackResult injectableQuery(String query) { try (Connection connection = dataSource.getConnection()) { try (Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY)) { Statement checkStatement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY); statement.executeUpdate(query); 2 Data Flow/s detected View Data Flow 1 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java Line 65 in df0082b statement.executeUpdate(query); View Data Flow 2 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java Line 57 in df0082b return injectableQuery(query); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java Line 57 in df0082b return injectableQuery(query); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java Line 60 in df0082b protected AttackResult injectableQuery(String query) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson3.java Line 65 in df0082b statement.executeUpdate(query);
High	SQL Injection	CWE-89	SqlInjectionLesson5b.java:58	1	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java Lines 53 to 58 in df0082b } protected AttackResult injectableQuery(String login_count, String accountName) { String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; try (Connection connection = dataSource.getConnection()) { PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); 1 Data Flow/s detected WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java Line 52 in df0082b return injectableQuery(login_count, userid); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java Line 52 in df0082b return injectableQuery(login_count, userid); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java Line 55 in df0082b protected AttackResult injectableQuery(String login_count, String accountName) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java Line 56 in df0082b String queryString = "SELECT * From user_data WHERE Login_Count = ? and userid= " + accountName; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson5b.java Line 58 in df0082b PreparedStatement query = connection.prepareStatement(queryString, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
High	SQL Injection	CWE-89	SqlInjectionLesson10.java:63	1	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java Lines 58 to 63 in df0082b String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; try (Connection connection = dataSource.getConnection()) { try { Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); 1 Data Flow/s detected WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java Line 53 in df0082b return injectableQueryAvailability(action_string); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java Line 53 in df0082b return injectableQueryAvailability(action_string); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java Line 56 in df0082b protected AttackResult injectableQueryAvailability(String action) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java Line 58 in df0082b String query = "SELECT * FROM access_log WHERE action LIKE '%" + action + "%'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson10.java Line 63 in df0082b ResultSet results = statement.executeQuery(query);
High	SQL Injection	CWE-89	SqlInjectionChallenge.java:65	1	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java Lines 60 to 65 in df0082b try (Connection connection = dataSource.getConnection()) { String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(checkUserQuery); 1 Data Flow/s detected WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java Line 63 in df0082b String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java Line 63 in df0082b String checkUserQuery = "select userid from sql_challenge_users where userid = '" + username_reg + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallenge.java Line 65 in df0082b ResultSet resultSet = statement.executeQuery(checkUserQuery);
High	SQL Injection	CWE-89	Servers.java:71	1	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java Lines 66 to 71 in df0082b @ResponseBody public List<Server> sort(@RequestParam String column) throws Exception { List<Server> servers = new ArrayList<>(); try (Connection connection = dataSource.getConnection(); PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) { 1 Data Flow/s detected WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/mitigation/Servers.java Line 71 in df0082b PreparedStatement preparedStatement = connection.prepareStatement("select id, hostname, ip, mac, status, description from servers where status <> 'out of order' order by " + column)) {
High	SQL Injection	CWE-89	SqlInjectionLesson9.java:66	4	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Lines 61 to 66 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; try (Connection connection = dataSource.getConnection()) { try { Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); SqlInjectionLesson8.log(connection, query); ResultSet results = statement.executeQuery(query); 4 Data Flow/s detected View Data Flow 1 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 61 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 61 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 66 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 2 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 61 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 61 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 66 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 3 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 56 in df0082b return injectableQueryIntegrity(name, auth_tan); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 56 in df0082b return injectableQueryIntegrity(name, auth_tan); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 59 in df0082b protected AttackResult injectableQueryIntegrity(String name, String auth_tan) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 61 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson9.java Line 66 in df0082b ResultSet results = statement.executeQuery(query); View more Data Flows
High	SQL Injection	CWE-89	SqlInjectionLesson8.java:66	4	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Lines 61 to 66 in df0082b try (Connection connection = dataSource.getConnection()) { try { Statement statement = connection.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE); log(connection, query); ResultSet results = statement.executeQuery(query); 4 Data Flow/s detected View Data Flow 1 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 60 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 60 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 66 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 2 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 60 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 60 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 66 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 3 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 55 in df0082b return injectableQueryConfidentiality(name, auth_tan); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 55 in df0082b return injectableQueryConfidentiality(name, auth_tan); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 58 in df0082b protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 60 in df0082b String query = "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"; WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson8.java Line 66 in df0082b ResultSet results = statement.executeQuery(query); View more Data Flows
High	SQL Injection	CWE-89	SqlInjectionLesson2.java:62	2	2022-08-15 03:41pm
Vulnerable Code WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java Lines 57 to 62 in df0082b } protected AttackResult injectableQuery(String query) { try (var connection = dataSource.getConnection()) { Statement statement = connection.createStatement(TYPE_SCROLL_INSENSITIVE, CONCUR_READ_ONLY); ResultSet results = statement.executeQuery(query); 2 Data Flow/s detected View Data Flow 1 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java Line 62 in df0082b ResultSet results = statement.executeQuery(query); View Data Flow 2 WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java Line 56 in df0082b return injectableQuery(query); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java Line 56 in df0082b return injectableQuery(query); WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java Line 59 in df0082b protected AttackResult injectableQuery(String query) { WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/introduction/SqlInjectionLesson2.java Line 62 in df0082b ResultSet results = statement.executeQuery(query);

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Deserialization of Untrusted Data	CWE-502	Java	2
High	SQL Injection	CWE-89	Java	12
High	Cross-Site Scripting	CWE-79	Java	3
High	Path/Directory Traversal	CWE-22	Java	5
High	Server Side Request Forgery	CWE-918	Java	1
High	DOM Based Cross-Site Scripting	CWE-79	JavaScript / Node.js	1
Medium	Weak Pseudo-Random	CWE-338	JavaScript / Node.js	2
Medium	Console Output	CWE-209	Java	5
Medium	Error Messages Information Exposure	CWE-209	Java	54
Medium	Weak Pseudo-Random	CWE-338	Java	8
Medium	Heap Inspection	CWE-244	Java	33
Medium	Hardcoded Password/Credentials	CWE-798	Java	10
Medium	XML External Entity (XXE) Injection	CWE-611	Java	1
Medium	Miscellaneous Dangerous Functions	CWE-676	Java	2
Low	Weak Hash Strength	CWE-916	Java	1