From 1a2fa77110272030450548649fd24df04c8ae607 Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Wed, 4 Dec 2024 17:04:57 +0000 Subject: [PATCH 1/9] new HCL AppScan on Cloud SAST parser --- .../parsers/file/hcl_asoc_sast.md | 8 + dojo/settings/.settings.dist.py.sha256sum | 2 +- dojo/settings/settings.dist.py | 3 + dojo/tools/hcl_asoc_sast/__init__.py | 1 + dojo/tools/hcl_asoc_sast/parser.py | 156 + unittests/scans/hcl_asoc_sast/many_issues.xml | 6856 +++++++++++++++++ unittests/scans/hcl_asoc_sast/no_issues.xml | 630 ++ unittests/scans/hcl_asoc_sast/one_issue.xml | 704 ++ unittests/tools/test_hcl_asoc_sast_parser.py | 36 + 9 files changed, 8395 insertions(+), 1 deletion(-) create mode 100644 docs/content/en/connecting_your_tools/parsers/file/hcl_asoc_sast.md create mode 100644 dojo/tools/hcl_asoc_sast/__init__.py create mode 100644 dojo/tools/hcl_asoc_sast/parser.py create mode 100644 unittests/scans/hcl_asoc_sast/many_issues.xml create mode 100644 unittests/scans/hcl_asoc_sast/no_issues.xml create mode 100644 unittests/scans/hcl_asoc_sast/one_issue.xml create mode 100644 unittests/tools/test_hcl_asoc_sast_parser.py diff --git a/docs/content/en/connecting_your_tools/parsers/file/hcl_asoc_sast.md b/docs/content/en/connecting_your_tools/parsers/file/hcl_asoc_sast.md new file mode 100644 index 00000000000..da86383ee37 --- /dev/null +++ b/docs/content/en/connecting_your_tools/parsers/file/hcl_asoc_sast.md @@ -0,0 +1,8 @@ +--- +title: "HCL AppScan on Cloud SAST" +toc_hide: true +--- +HCL Appscan on Cloud can export the results in PDF, XML and CSV formats but this parser only supports the import of XML generated from HCL Appscan on Cloud for SAST scans. + +### Sample Scan Data +Sample HCL AppScan on Cloud SAST scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/hcl_asoc_sast). diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum index 2db4c82d7c6..a466f9a965a 100644 --- a/dojo/settings/.settings.dist.py.sha256sum +++ b/dojo/settings/.settings.dist.py.sha256sum @@ -1 +1 @@ -6e88f73d9310e9da23ff2b1c5078ed40a0b604d1cbda42d4f009bc1134330c38 +6fd36fcdf01e6881e5d97fbf37fe8e10b2aad8ac7878691f9e362cecc4eb7cca diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 8a88b249683..d48945fe704 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -1276,6 +1276,7 @@ def saml2_attrib_map_format(dict): "Humble Json Importer": ["title"], "MSDefender Parser": ["title", "description"], "HCLAppScan XML": ["title", "description"], + "HCL AppScan on Cloud SAST XML": ["title", "file_path", "line", "severity"], "KICS Scan": ["file_path", "line", "severity", "description", "title"], "MobSF Scan": ["title", "description", "severity"], "MobSF Scorecard Scan": ["title", "description", "severity"], @@ -1363,6 +1364,7 @@ def saml2_attrib_map_format(dict): "Wazuh": True, "Nuclei Scan": True, "Threagile risks report": True, + "HCL AppScan on Cloud SAST XML": True, "AWS Inspector2 Scan": True, } @@ -1521,6 +1523,7 @@ def saml2_attrib_map_format(dict): "Wazuh Scan": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL, "MSDefender Parser": DEDUPE_ALGO_HASH_CODE, "HCLAppScan XML": DEDUPE_ALGO_HASH_CODE, + "HCL AppScan on Cloud SAST XML": DEDUPE_ALGO_UNIQUE_ID_FROM_TOOL_OR_HASH_CODE, "KICS Scan": DEDUPE_ALGO_HASH_CODE, "MobSF Scan": DEDUPE_ALGO_HASH_CODE, "MobSF Scorecard Scan": DEDUPE_ALGO_HASH_CODE, diff --git a/dojo/tools/hcl_asoc_sast/__init__.py b/dojo/tools/hcl_asoc_sast/__init__.py new file mode 100644 index 00000000000..c8c5fc2da7d --- /dev/null +++ b/dojo/tools/hcl_asoc_sast/__init__.py @@ -0,0 +1 @@ +__author__ = "xpert98" diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py new file mode 100644 index 00000000000..4394131d6d8 --- /dev/null +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -0,0 +1,156 @@ +from xml.dom import NamespaceErr + +from defusedxml import ElementTree as ET + +from dojo.models import Finding + + +class HCLASoCSASTParser: + def get_scan_types(self): + return ["HCL AppScan on Cloud SAST XML"] + + def get_label_for_scan_types(self, scan_type): + return scan_type + + def get_description_for_scan_types(self, scan_type): + return "Import XML output of HCL AppScan on Cloud SAST" + + def xmltreehelper(self, input): + if input.text is None: + output = None + elif "\n" in input.text: + output = "" + for i in input: + output = output + " " + i.text + else: + output = " " + input.text + return output + + def get_findings(self, file, test): + findings = [] + tree = ET.parse(file) + root = tree.getroot() + if "xml-report" not in root.tag: + msg = "This doesn't seem to be a valid HCL ASoC SAST xml file." + raise NamespaceErr(msg) + report = root.find("issue-group") + if report is not None: + for finding in report: + title = "" + description = "" + for item in finding: + match item.tag: + case "severity": + output = self.xmltreehelper(item) + if output is None: + severity = "Info" + else: + severity = output.strip(" ").capitalize() + case "cwe": + cwe = int(self.xmltreehelper(item)) + case "issue-type": + title = self.xmltreehelper(item).strip() + description = description + "***Issue-Type:" + title + "\n" + case "issue-type-name": + title = self.xmltreehelper(item).strip() + description = description + "***Issue-Type-Name:" + title + "\n" + case "source-file": + location = self.xmltreehelper(item).strip() + description = description + "***Location:" + location + "\n" + case "line": + line = int(self.xmltreehelper(item).strip()) + description = description + "***Line:" + str(line) + "\n" + case "threat-class": + threatclass = self.xmltreehelper(item) + description = description + "***Threat-Class:" + threatclass + "\n" + case "entity": + entity = self.xmltreehelper(item) + title += "_" + entity.strip() + description = description + "***Entity:" + entity + "\n" + case "security-risks": + security_risks = self.xmltreehelper(item) + description = description + "***Security-Risks:" + security_risks + "\n" + case "cause-id": + causeid = self.xmltreehelper(item) + title += "_" + causeid.strip() + description = description + "***Cause-Id:" + causeid + "\n" + case "element": + element = self.xmltreehelper(item) + description = description + "***Element:" + element + "\n" + case "element-type": + elementtype = self.xmltreehelper(item) + description = description + "***ElementType:" + elementtype + "\n" + case "variant-group": + variantgroup = item.iter() + description = description + "***Call Trace:" + "\n" + for vitem in variantgroup: + if vitem.tag == "issue-information": + issueinformation = vitem.iter() + for iitem in issueinformation: + if iitem.tag == "context": + description = description + self.xmltreehelper(iitem) + "\n" + + case "fix": + recommendations = "" + externalreferences = "" + issuetypename = "" + remediation = "" + fix = item.iter() + for fitem in fix: + if fitem.tag == "types": + type = fitem.iter() + for titem in type: + if titem.tag == "name": + issuetypename = self.xmltreehelper(titem) + if fitem.tag == "remediation": + remediation = self.xmltreehelper(fitem) + + articlegroup = root.find("article-group") + if articlegroup is not None: + for articles in articlegroup: + if articles.attrib["id"] == issuetypename.strip() and articles.attrib["api"] == remediation.strip(): + articledetails = articles.iter() + for aitem in articledetails: + if aitem.tag == "cause": + description = description + "***Cause:" + "\n" + for causeitem in aitem: + if causeitem.attrib["type"] == "string": + if causeitem.text is not None: + description = description + causeitem.text + "\n" + if aitem.tag == "recommendations": + for recitem in aitem: + if recitem.attrib["type"] == "string": + if recitem.text is not None: + recommendations = recommendations + recitem.text + "\n" + elif recitem.attrib["type"] == "object": + codeblock = recitem.iter() + for codeitem in codeblock: + if codeitem.tag == "item" and codeitem.attrib["type"] == "string": + if codeitem.text is None: + recommendations = recommendations + "\n" + else: + recommendations = recommendations + self.xmltreehelper(codeitem) + "\n" + + if aitem.tag == "externalReferences": + ref = aitem.iter() + for ritem in ref: + if ritem.tag == "title": + externalreferences = externalreferences + self.xmltreehelper(ritem).strip() + "\n" + if ritem.tag == "url": + externalreferences = externalreferences + self.xmltreehelper(ritem).strip() + "\n" + + prepared_finding = Finding( + title=title, + description=description, + file_path=location, + line=line, + severity=severity, + cwe=cwe, + mitigation=recommendations, + references=externalreferences, + dynamic_finding=False, + static_finding=True, + ) + findings.append(prepared_finding) + return findings + return findings diff --git a/unittests/scans/hcl_asoc_sast/many_issues.xml b/unittests/scans/hcl_asoc_sast/many_issues.xml new file mode 100644 index 00000000000..0c9e3caa499 --- /dev/null +++ b/unittests/scans/hcl_asoc_sast/many_issues.xml @@ -0,0 +1,6856 @@ + + + + added + added to request: + Additional Data: + Advisories + Affected Products: + Vulnerable URLs + Concurrent Logins: + Application Data + Application Server: + AppScan Severity + Harmless + This request/response contains binary content, which is not included in generated reports. + Body + Failed Requests + Cause + Causes + Causes: + Id + Name + The following weak cipher suites are supported by the server: + Code + Comment + Comments + Cookie + Cookies + CVE: + CWE: + Detailed Summary + A detailed listing of the scan results, including all issue types found, all recommended remediation tasks, all vulnerable URLs, etc. This section is intended to provide a more detailed understanding of the security status of the application, as well as assist in scoping and prioritizing the work required to remedy issues found. + Tracked or session ID cookies: + Tracked or session ID parameters: + Difference: + Document Map + This report consists of the following sections: + Domain + .Net + JavaScript execution: + Entity + Entity: + Example + Summary + This section provides a high level view of the information gathered during the scan, using graphs or comparative numbers. It is intended to provide a general understanding of the security status of the application. + Expires + Filtered URLs + First Set + Fix + Fix: + Fix Recommendations + General + General Information + Header + High + High severity issues: + Host: + Index + Informational + Informational severity issues: + Introduction + Introduction and Objectives + General information about the scan, including the project name, purpose of the scan, etc. + Issue + Issues Sorted by Issue Type + Issues Sorted by URL + Issues detected across + Issue Type + Issue Types + Issue Types + J2EE + JavaScripts + Login Settings + Low + Low severity issues: + Malicious + manipulated from: + Medium + Medium severity issues: + Method + Name + New URLs + Report Produced on Tree node: + this is now the same as the one below - should be removed + Number of Issues + Objectives + AppScan performs real-time security assessments on web applications. These assessments aim to uncover any security issues in the application, explain the impact and risks associated with these issues, and provide guidance in planning and prioritizing remediation. The objective of this assignment was to perform controlled attack and penetration activities to assess the overall level of security of the application. + of + Operating system: + Original Request + Original Requests and Responses: + Original Response + Parameter + Parameters + Path + PHP + Query + Raw Test Response: + Reason + Reasoning: + Login sequence: + References: + Regulations + Remaining URLs + Remediation Task + removed + removed from request: + Removed URLs + Comprehensive Security Report + AppScan Web Application Security Report + Requested URL + Request + Response + Risk + Risk: + Rules: + Scan started: + Scan file name: + Sections + sections of the regulation: + Violated Section + GDPR Articles + Section Violation by Issue + Secure + Detailed Security Issues by Sections + Security Risks + Security Risks: + Login method: + In-session detection: + In-session pattern: + Severity + Severity: + Unique issues detected across + SSL Version + Table of Contents + Test Description: + Test Login + Test policy: + Test Request: + Test Requests and Responses: + Test Response (first) + Test Response + Test Response (last) + Test Response (next-to-last) + Technical Description: + Test Type: + Threat + WASC Threat Classification + Threat Classification: + TOC + to: + Total security issues included in the report: + Total security issues: + total security issues + Type + Unwanted + URL + URL: + Valid Login + Value + Variant + Visited URLs + Vulnerable URLs + Web server: + Issue Types that this task fixes + Simulation of the pop-up that appears when this page is opened in a browser + Location + Intent Action: + Intent Class: + Intent Data: + Intent Extra: + Intent Package: + Payload + Issues: + Method Signature: + Issue Validation Parameters: + Thread: + Timestamp: + Trace: + Issue Information + This issue was detected by AppScan's Mobile Analyzer. + Call Stack: + Header: + XML: + File Name: + File Permission: + Synopsis: + Dump: + Manifest: + Request: + Method Information + Signature: + File: + Name: + Permissions: + Class + Function + Line + Created by: + Summary of security issues + Issues + Go to Table of Contents + Issue Types: + Application Version: + Scan Name: + First Variant: + Variants Found: + OWASP: + X-Force: + (Only the first one is displayed) + No security issues discovered in the scan + Scan status: + Note that the scan on which this report is based was not completed. + Success + Refer to the site for more details. + Sink + Source + OWASP Top 10 + File Path: + Reference: + Free Plan + Please Note: + This summary report was created with the Application Security Analyzer Free Plan. Once you purchase the full service you will have access to a complete report with detailed descriptions of the issues found and how to remediate them. + Activities: + Coverage + Activities + This report includes important security information about your mobile application. + Fix Recommendations: + Component + Glossary + Privacy: + Symbols Found: + Mobile Application Report + Class Signature: + Defining Class + Controllable Object Fields: + Receivers: + Services: + Receivers + Services + Method Signature: + Issue Information: + Settings For Target: + Provider: + Sample Report + Login Mode: + Views: + Views + None + Automatic + Manual + Calling Line + Calling Method + Class + Classification + Critical + Date Created + Discovery Method + Last Updated + Package + Scans: + Severity Value + Status + API + Element + Scheme + Sink: + Source: + Trace + Source File + Access Complexity + Access Vector + Authentication + Availability Impact + Confidentiality Impact + CVE + CVSS + Description + Exploitability + Integrity Impact + Summary + Activities that were tested for security vulnerabilities, as defined in the app's manifest. + Issue Types that ASoC has tested your application for. + Receivers that were tested for security vulnerabilities, as defined in the app's manifest. + Services that were tested for security vulnerabilities, as defined in the app's manifest. + Titles of Views encountered when crawling the app. + Leaked Information: + Password: + User Name: + Mitigation: + Alternate Fix Suggestions + This method is a part of the application code and appears in each of the grouped issue's traces. You should begin investigating a possible fix in the implementation of the method. + This method is a third-party API, with a common caller in each of the grouped issue's traces. You should begin investigating a possible fix at the caller: + Replace/Repair Vulnerable OpenSource: + Please refer to the details of this issue for fix recommendations. + Business Impact: + Created: + Security Report for: + Regulation Report for: + Notes: + - Details + - Discussion + Contains: + {0} issues + (out of {0}) + - Audit Trail + Cause: + HCL Application Security on Cloud, Version + Directory: + Constant Value: + Found in: + Informational + Low + Medium + High + Critical + User Supplied Credit Card Number: + User Supplied Id: + User Supplied Input: + User Supplied Password: + User Supplied Phone Number: + User Supplied User Name: + - Fix Recommendation + Included for each issue separately. + Port: + Application Name: + Copyleft: + Copyright Risk: + Date: + Library Name: + License Name: + Open Source Report + Licenses + Linking: + Patent Risk: + Reference Type: + Reference URL: + Risk Level: + Libraries with high risk level: + Libraries with low risk level: + Libraries with medium risk level: + Libraries with unknown risk level: + Royalty Free: + Total Open Source Libraries: + AppScan on Cloud + Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, regardless of whether the code is dynamically or statically linked. (example: GPL). Attribution and/or license terms may be required. + Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. These licenses include LGPL and GPL with Class Path Exception, as examples. Attribution and/or license terms may be required. + Anyone may use the code without restriction. + Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero). Attribution and/or license terms may be required. + Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero). Attribution and/or license terms may be required. + Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available. Attribution and/or license terms may also be required. + Anyone who distributes the code must provide certain notices as described in the license. These generally require providing attributions and/or license terms with the software. + Specific identified patent risks + Royalty free and no identified patent risks + No patents granted + Royalty free unless litigated + Report created at: + Report for scan: + Open source library name + Risk level + Security Report + Open Source Libraries + Unknown + Reference + In this section you’ll find more details about the fields and their values. + Disabled + Enabled + None + Automatic + Prompt + Recorded login + Unknown + (Modified) + Any + Unknown + Sample Trace + License Type + Scan Security Report + This report lists all the open source libraries found in your scan, and their associated open source Risk Levels. + + Open Source Risk Levels are not the same as the Risk Levels in Security Reports, and not related to the vulnerabilities of specific issues. + You can see if any of the libraries have known vulnerabilities in Issue Management view. + Number Of Libraries + Report Date: + Scanned under Application: + Scan Start Date: + Total Open Source License Types: + Details + Threat Classification: + Fix Groups: + Implementation of {0} + Usage of {0} via {1} + Fix Group #{0}: {1} + This section groups {0} issues of type {1} with significant commonality in the their traces. + This section groups {0} issues with significant commonality in their traces. The following issue types are included: + This section groups {0} issues of type {1} with a common opensource file. + This section groups {0} issues with a common opensource file. The following issue types are included: + These issues are grouped together to try to help you find a common fix that resolves them all. + These method calls are also common to the traces of the issues in this group. They represent other possible These method calls are also common to the traces of the issues in this group. They represent other possible locations to investigate a fix. + All {0} issues in this report appear to be independent, lacking the commonality required in their traces to be grouped together. They all appear in this section. + This section lists the remaining {0} issues that could not be included in any other fix groups. + The following issue types are included: + Ungrouped + Fix Recommendation + Library Version: + API: + at line + Call + Caller: + Description: + Name: + Example Trace: + File + Lost Sink + Not a Validator + Sample Trace + Publish date: + Resolution: + Source and Sink + Tainted Arg + Taint Propagator + via + Virtual Lost Sink + Test Optimization: + Normal + Optimized + Issue ID: + Compliance Security Report + Undefined + Undefined + Title: + Report Date UTC: + Fix Group ID: + Method: + Query String: + URI: + Arguments: + Call Trace: + Object: + Return: + Stack: + Type: + By Fix Groups: + By Issue Types: + Fix-Groups + Library: + Location: + Status: + Common API Call: + Common Fix Point: + Common Open Source: + Common Fix Point: + OpenSource + API: + Location of fix: + Library name: + Location of fix: + Advisory: + Custom Advisory: + Hosts + Fast + Faster + Fastest + No Optimization + How to Fix: + Report Name: + Technology: + Scan Information + General Advisory: + Finding specific advisory: + Example: + Exploit Example: + (none) + Not applicable for this issue. + HTTP Only + JS Stack Trace + Same Site + False + True + (Mixed) + Articles + CWE + Exploit example + External references + Recommendations + Language: + How to Fix + See also issue-details 'Resolution' section below. + Mitigation + Important: + Note: The number of issues found exceeded the maximum that can be shown in a single set of results. +The scan results show {0} representitive issues. + Personal Scan + Personal Scans are deleted after {0} days, unless promoted to the application within that time. + Additional Information: + Fixed + In Progress + New + Noise + Open + Passed + Reopened + Definitive + Scan Coverage Findings + Suspect + Cipher Suites: + ID + Fix recommendation + Default (Production) + Default (Staging) + Default + Body + Cookie + Global + Header + Header Name + Link + Other + Page + Parameter + Parameter Name + Query + Role + Source Line + Unspecified + Critical + High + Low + Medium + Unspecified + Report for application: + This report lists all the open source libraries found in your application, and their associated open source Risk Levels. + License Details + Library Name + Version + Undefined + Critical severity issues: + Copyleft applies on modifications as well as own code that uses the open-source software. + Non-copyleft license. + Copyleft applies only to modifications. + Undefined + Dynamic linking will not infect the linking code. + The licensing of the linking code will remain unaffected. + Undefined + Linking will infect the code linking code. + Alpine + Arch Linux + Bower + Build Configuration File + Details available in CDNJS + Debian + .NET + Eclipse OSGI Bundle + Details available in GitHub repository + License information in host site + License File + Node package manager + NuGet Package + Other + POM file + Project Home Page + Python Package Index + Readme File + RPM + RubyGems + License assigned manually by a user in the organization + Undefined + High + Low + Medium + Undefined + Unknown + Royalty-free unless litigated. + No patents granted. + Royalty-free and no identified patent risks. + Undefined severity issues: + Last Found + CVSS Version + Total Items: + IAST call stack: + Undefined + - Comments + Method: + Both + Config + Hash + Dependency Root: + Source-file and Package-manager + Package-manager + Source-file + None + + + + + HCL + Application Security on Cloud + sample-php + Unspecified + Friday, October 18, 2024 + FullReport + 83 + False + 30 + 20000 + False + ASoC + + + 1 + 1 + 1 + 1 + 0 + 1 + 1 + 0 + 0 + 0 + 0 + 0 + 0 + + + + Authentication Bypass + + + Configuration + + + Cross-Site Scripting + + + Injection + + + Missing Standardized Error Handling Mechanism + + + PathTraversal + + + PrivilegeEscalation + + + Reflected Cross Site Scripting + + + AppDOS + + + Logging + + + Privacy + + + SessionManagement.Cookies + + + Missing Encryption of Sensitive Data + + + + + + + + + AccessControl.Bypass + + 1 + + + + Verify Session Data Stored in A Secure Directory + sample-php/config/php.ini:1309 + + + + session.save_path = "N;/path" + + + + + + + + + Verify Session Data Stored in A Secure Directory + High + + Verify Session Data Stored in A Secure Directory + + + + AccessControl.Bypass + + + + + High + 3 + SAST + + 288 + + + catInsufficientAuthorization + + + privilegeEscalation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Authentication Bypass + sample-php/config/php.ini:1309 + sample-php/config/php.ini + None + 1309 + 0 + 068355ff-748d-ef11-8473-000d3a0fc910 + 418355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AccessControl.Bypass + Location: → sample-php/config/php.ini:1309 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + AccessControl.Bypass + + 1 + + + + Verify Session Data Stored in A Secure Directory + sample-php/config/php.ini:1325 + + + + session.save_path = "N;MODE;/path" + + + + + + + + + Verify Session Data Stored in A Secure Directory + High + + Verify Session Data Stored in A Secure Directory + + + + AccessControl.Bypass + + + + + High + 3 + SAST + + 288 + + + catInsufficientAuthorization + + + privilegeEscalation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Authentication Bypass + sample-php/config/php.ini:1325 + sample-php/config/php.ini + None + 1325 + 0 + 068355ff-748d-ef11-8473-000d3a0fc910 + 448355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AccessControl.Bypass + Location: → sample-php/config/php.ini:1325 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + Configuration + + 1 + + + + The disable_functions parameter is empty + sample-php/config/php.ini:312 + + + + disable_functions = + +; This directive allows you to disable certain classes. + + + + + + + + + The disable_functions parameter is empty + High + + The disable_functions parameter is empty + + + + Configuration + + + + + High + 3 + SAST + + 16 + + + catApplicationMisconfiguration + + + sensitiveInformation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Configuration + sample-php/config/php.ini:312 + sample-php/config/php.ini + None + 312 + 0 + 0f8355ff-748d-ef11-8473-000d3a0fc910 + 208355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Configuration + Location: → sample-php/config/php.ini:312 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditApplicationOwnerForm.php:50 + + + + <input type="text" class="form-control" id="ownerName" name="ownerName" value="<?php echo $cisData[0]['ownername']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditApplicationOwnerForm.php:50 + sample-php/src/adminEditApplicationOwnerForm.php + None + 50 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 5f8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditApplicationOwnerForm.php:50 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditApplicationOwnerForm.php:53 + + + + <input type="hidden" id="ownerId" name="ownerId" value="<?php echo $ownerId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditApplicationOwnerForm.php:53 + sample-php/src/adminEditApplicationOwnerForm.php + None + 53 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 628355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditApplicationOwnerForm.php:53 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditApplicationTypeForm.php:48 + + + + <input type="text" class="form-control" id="typeName" name="typeName" value="<?php echo $cisData[0]['typename']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditApplicationTypeForm.php:48 + sample-php/src/adminEditApplicationTypeForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 658355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditApplicationTypeForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditApplicationTypeForm.php:51 + + + + <input type="hidden" id="typeId" name="typeId" value="<?php echo $typeId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditApplicationTypeForm.php:51 + sample-php/src/adminEditApplicationTypeForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 688355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditApplicationTypeForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditBusinessUnitForm.php:48 + + + + <input type="text" class="form-control" id="businessUnitName" name="businessUnitName" value="<?php echo $cisData[0]['businessunitname']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditBusinessUnitForm.php:48 + sample-php/src/adminEditBusinessUnitForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 6b8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditBusinessUnitForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditBusinessUnitForm.php:51 + + + + <input type="hidden" id="buId" name="buId" value="<?php echo $buId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditBusinessUnitForm.php:51 + sample-php/src/adminEditBusinessUnitForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 6e8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditBusinessUnitForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditCodeLanguageForm.php:48 + + + + <input type="text" class="form-control" id="languageName" name="languageName" value="<?php echo $cisData[0]['languagename']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditCodeLanguageForm.php:48 + sample-php/src/adminEditCodeLanguageForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 718355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditCodeLanguageForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditCodeLanguageForm.php:51 + + + + <input type="hidden" id="languageId" name="languageId" value="<?php echo $languageId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditCodeLanguageForm.php:51 + sample-php/src/adminEditCodeLanguageForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 748355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditCodeLanguageForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditDataClassificationForm.php:48 + + + + <input type="text" class="form-control" id="dataClassificationName" name="dataClassificationName" value="<?php echo $cisData[0]['dataclassificationname']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditDataClassificationForm.php:48 + sample-php/src/adminEditDataClassificationForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 778355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditDataClassificationForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditDataClassificationForm.php:51 + + + + <input type="hidden" id="dataClassificationId" name="dataClassificationId" value="<?php echo $dataClassificationId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditDataClassificationForm.php:51 + sample-php/src/adminEditDataClassificationForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 7a8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditDataClassificationForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditDeploymentEnvironmentForm.php:48 + + + + <input type="text" class="form-control" id="deploymentEnvironmentName" name="deploymentEnvironmentName" value="<?php echo $cisData[0]['deploymentenvironmentname']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditDeploymentEnvironmentForm.php:48 + sample-php/src/adminEditDeploymentEnvironmentForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 7d8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditDeploymentEnvironmentForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditDeploymentEnvironmentForm.php:51 + + + + <input type="hidden" id="deploymentEnvironmentId" name="deploymentEnvironmentId" value="<?php echo $deploymentEnvironmentId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditDeploymentEnvironmentForm.php:51 + sample-php/src/adminEditDeploymentEnvironmentForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 808355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditDeploymentEnvironmentForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditExposureLevelForm.php:48 + + + + <input type="text" class="form-control" id="exposureLevelName" name="exposureLevelName" value="<?php echo $cisData[0]['exposurename']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditExposureLevelForm.php:48 + sample-php/src/adminEditExposureLevelForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 838355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditExposureLevelForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditExposureLevelForm.php:51 + + + + <input type="hidden" id="exposureId" name="exposureId" value="<?php echo $exposureId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditExposureLevelForm.php:51 + sample-php/src/adminEditExposureLevelForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 868355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditExposureLevelForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditLifecycleStageForm.php:48 + + + + <input type="text" class="form-control" id="lifecycleStageName" name="lifecycleStageName" value="<?php echo $cisData[0]['lifecyclestagename']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditLifecycleStageForm.php:48 + sample-php/src/adminEditLifecycleStageForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 8a8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditLifecycleStageForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditLifecycleStageForm.php:51 + + + + <input type="hidden" id="lifecycleStageId" name="lifecycleStageId" value="<?php echo $lifecycleStageId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditLifecycleStageForm.php:51 + sample-php/src/adminEditLifecycleStageForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 908355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditLifecycleStageForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditRiskLevelForm.php:48 + + + + <input type="text" class="form-control" id="riskLevelName" name="riskLevelName" value="<?php echo $cisData[0]['risklevelname']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditRiskLevelForm.php:48 + sample-php/src/adminEditRiskLevelForm.php + None + 48 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 938355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditRiskLevelForm.php:48 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditRiskLevelForm.php:51 + + + + <input type="hidden" id="riskLevelId" name="riskLevelId" value="<?php echo $riskLevelId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditRiskLevelForm.php:51 + sample-php/src/adminEditRiskLevelForm.php + None + 51 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 968355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditRiskLevelForm.php:51 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditUserForm.php:50 + + + + <input type="password" class="form-control" id="userPassword" name="userPassword"> + </div> + <div class="form-group"> + <label for="userFirstName">First Name</label> + <input type="text" class="form-control" id="userFirstName" name="userFirstName" value="<?php echo $userData[2]; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditUserForm.php:50 + sample-php/src/adminEditUserForm.php + None + 50 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 998355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditUserForm.php:50 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditUserForm.php:58 + + + + <input type="text" class="form-control" id="userLastName" name="userLastName" value="<?php echo $userData[3]; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditUserForm.php:58 + sample-php/src/adminEditUserForm.php + None + 58 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 9c8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditUserForm.php:58 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/adminEditUserForm.php:61 + + + + <input type="hidden" id="userId" name="userId" value="<?php echo $userId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/adminEditUserForm.php:61 + sample-php/src/adminEditUserForm.php + None + 61 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 9f8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/adminEditUserForm.php:61 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:85 + + + + <input type="hidden" id="appId" name="appId" value="<?php echo $applicationData[0]['id']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:85 + sample-php/src/editApplicationForm.php + None + 85 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 4f6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:85 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:90 + + + + <input type="text" class="form-control" id="commonName" name="commonName" value="<?php echo $applicationData[0]['commonname']; ?>" required> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:90 + sample-php/src/editApplicationForm.php + None + 90 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 526fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:90 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:96 + + + + <input type="hidden" id="currentPrimaryOwnerId" value="<?php echo $applicationData[0]['primaryownerid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:96 + sample-php/src/editApplicationForm.php + None + 96 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 556fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:102 + + + + <input type="text" class="form-control" id="secondaryOwners" name="secondaryOwners" value="<?php echo $applicationData[0]['secondaryowners']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:102 + sample-php/src/editApplicationForm.php + None + 102 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 586fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:102 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:117 + + + + <input type="text" class="form-control" id="codeRepoUrl" name="codeRepoUrl" value="<?php echo $applicationData[0]['coderepourl']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:117 + sample-php/src/editApplicationForm.php + None + 117 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 5b6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:117 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:121 + + + + <input type="text" class="form-control" id="binaryRepoUrl" name="binaryRepoUrl" value="<?php echo $applicationData[0]['binaryrepourl']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:121 + sample-php/src/editApplicationForm.php + None + 121 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 5e6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:121 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:126 + + + + <input type="hidden" id="currentPrimaryLanguageId" value="<?php echo $applicationData[0]['primarylanguageid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:126 + sample-php/src/editApplicationForm.php + None + 126 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 616fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:126 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:135 + + + + <input type="hidden" id="currentTypeId" value="<?php echo $applicationData[0]['typeid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:135 + sample-php/src/editApplicationForm.php + None + 135 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 646fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:135 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:141 + + + + <input type="hidden" id="currentBusinessUnitId" value="<?php echo $applicationData[0]['businessunitid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:141 + sample-php/src/editApplicationForm.php + None + 141 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 676fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:141 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:146 + + + + <input type="hidden" id="currentExposureId" value="<?php echo $applicationData[0]['exposureid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:146 + sample-php/src/editApplicationForm.php + None + 146 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 6a6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:146 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:151 + + + + <input type="text" class="form-control" id="numUsers" name="numUsers" value="<?php echo $applicationData[0]['numusers']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:151 + sample-php/src/editApplicationForm.php + None + 151 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 6d6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:151 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:155 + + + + <input type="hidden" id="currentDataClassificationId" value="<?php echo $applicationData[0]['dataclassificationid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:155 + sample-php/src/editApplicationForm.php + None + 155 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 706fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:155 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:160 + + + + <input type="hidden" id="currentDeploymentEnvironmentId" value="<?php echo $applicationData[0]['deploymentenvironmentid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:160 + sample-php/src/editApplicationForm.php + None + 160 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 736fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:160 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:165 + + + + <input type="text" class="form-control" id="deploymentEnvironmentUrl" name="deploymentEnvironmentUrl" value="<?php echo $applicationData[0]['deploymentenvironmenturl']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:165 + sample-php/src/editApplicationForm.php + None + 165 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 766fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:165 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:169 + + + + <input type="hidden" id="currentRiskLevelId" value="<?php echo $applicationData[0]['risklevelid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:169 + sample-php/src/editApplicationForm.php + None + 169 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 796fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:169 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:174 + + + + <input type="text" class="form-control" id="regulations" name="regulations" value="<?php echo $applicationData[0]['regulations']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:174 + sample-php/src/editApplicationForm.php + None + 174 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 7c6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:174 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:178 + + + + <input type="text" class="form-control" id="chatChannel" name="chatChannel" value="<?php echo $applicationData[0]['chatchannel']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:178 + sample-php/src/editApplicationForm.php + None + 178 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 7f6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:178 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:182 + + + + <input type="text" class="form-control" id="agileScrumBoardUrl" name="agileScrumBoardUrl" value="<?php echo $applicationData[0]['agilescrumboardurl']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:182 + sample-php/src/editApplicationForm.php + None + 182 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 826fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:182 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:186 + + + + <input type="text" class="form-control" id="buildServerUrl" name="buildServerUrl" value="<?php echo $applicationData[0]['buildserverurl']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:186 + sample-php/src/editApplicationForm.php + None + 186 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 856fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:186 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:190 + + + + <input type="text" class="form-control" id="age" name="age" value="<?php echo $applicationData[0]['age']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:190 + sample-php/src/editApplicationForm.php + None + 190 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 886fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:190 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:194 + + + + <input type="hidden" id="currentLifecycleStageId" value="<?php echo $applicationData[0]['lifecyclestageid']; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:194 + sample-php/src/editApplicationForm.php + None + 194 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 8b6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:194 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php:197 + + + + <input type="hidden" id="appId" name="appId" value="<?php echo $appId; ?>"> + + + + + + + + + Potential user controlled data within PHP converted to HTML + High + + Potential user controlled data within PHP converted to HTML + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/editApplicationForm.php:197 + sample-php/src/editApplicationForm.php + None + 197 + 0 + 0b8355ff-748d-ef11-8473-000d3a0fc910 + 8e6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/editApplicationForm.php:197 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential XSS vulnerability detected in jQuery.append() method + sample-php/src/manageApplicationIntegrations.php:220 + + + + $("#accessibility").append('<option value="'+Accessibility[i].guid+'">'+Accessibility[i].name+'</option>') + + + + + + + + + Potential XSS vulnerability detected in jQuery.append() method + High + + Potential XSS vulnerability detected in jQuery.append() method + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/manageApplicationIntegrations.php:220 + sample-php/src/manageApplicationIntegrations.php + None + 220 + 0 + 0e8355ff-748d-ef11-8473-000d3a0fc910 + 916fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/manageApplicationIntegrations.php:220 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential XSS vulnerability detected in jQuery.append() method + sample-php/src/manageApplicationIntegrations.php:224 + + + + $("#businessRisk").append('<option value="'+BusinessRisk[i].guid+'">'+BusinessRisk[i].name+'</option>') + + + + + + + + + Potential XSS vulnerability detected in jQuery.append() method + High + + Potential XSS vulnerability detected in jQuery.append() method + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/manageApplicationIntegrations.php:224 + sample-php/src/manageApplicationIntegrations.php + None + 224 + 0 + 0e8355ff-748d-ef11-8473-000d3a0fc910 + 946fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/manageApplicationIntegrations.php:224 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential XSS vulnerability detected in jQuery.append() method + sample-php/src/manageApplicationIntegrations.php:227 + + + + $("#devPhase").append('<option value="'+DevPhase[i].guid+'">'+DevPhase[i].name+'</option>') + + + + + + + + + Potential XSS vulnerability detected in jQuery.append() method + High + + Potential XSS vulnerability detected in jQuery.append() method + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/manageApplicationIntegrations.php:227 + sample-php/src/manageApplicationIntegrations.php + None + 227 + 0 + 0e8355ff-748d-ef11-8473-000d3a0fc910 + 976fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/manageApplicationIntegrations.php:227 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential XSS vulnerability detected in jQuery.append() method + sample-php/src/manageApplicationIntegrations.php:230 + + + + $("#devStrategy").append('<option value="'+DevStrategy[i].guid+'">'+DevStrategy[i].name+'</option>') + + + + + + + + + Potential XSS vulnerability detected in jQuery.append() method + High + + Potential XSS vulnerability detected in jQuery.append() method + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/manageApplicationIntegrations.php:230 + sample-php/src/manageApplicationIntegrations.php + None + 230 + 0 + 0e8355ff-748d-ef11-8473-000d3a0fc910 + 9a6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/manageApplicationIntegrations.php:230 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting + + 1 + + + + Potential XSS vulnerability detected in jQuery.append() method + sample-php/src/manageApplicationIntegrations.php:233 + + + + $("#issueTemplate").append('<option value="'+issueTemplates[i].id+'">'+issueTemplates[i].name+'</option>') + + + + + + + + + Potential XSS vulnerability detected in jQuery.append() method + High + + Potential XSS vulnerability detected in jQuery.append() method + + + + CrossSiteScripting + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + clientCodeExecution + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Cross-Site Scripting + sample-php/src/manageApplicationIntegrations.php:233 + sample-php/src/manageApplicationIntegrations.php + None + 233 + 0 + 0e8355ff-748d-ef11-8473-000d3a0fc910 + 9d6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting + Location: → sample-php/src/manageApplicationIntegrations.php:233 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + Injection + + 1 + + + + The file_uploads directive is enabled + sample-php/config/php.ini:825 + + + + file_uploads = On + + + + + + + + + The file_uploads directive is enabled + High + + The file_uploads directive is enabled + + + + Injection + + + + + High + 3 + SAST + + 74 + + + catAbuseOfFunctionality + + + maliciousContent + + + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Injection + sample-php/config/php.ini:825 + sample-php/config/php.ini + None + 825 + 0 + 088355ff-748d-ef11-8473-000d3a0fc910 + 2f8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Injection + Location: → sample-php/config/php.ini:825 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + Injection + + 1 + + + + The allow_url_fopen directive is enabled + sample-php/config/php.ini:845 + + + + allow_url_fopen = On + + + + + + + + + The allow_url_fopen directive is enabled + High + + The allow_url_fopen directive is enabled + + + + Injection + + + + + High + 3 + SAST + + 74 + + + catAbuseOfFunctionality + + + maliciousContent + + + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Injection + sample-php/config/php.ini:845 + sample-php/config/php.ini + None + 845 + 0 + 048355ff-748d-ef11-8473-000d3a0fc910 + 328355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Injection + Location: → sample-php/config/php.ini:845 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + ErrorHandling.Missing + + 1 + + + + The display_errors directive has been enabled + sample-php/config/php.ini:482 + + + + display_errors = On + + + + + + + + + The display_errors directive has been enabled + High + + The display_errors directive has been enabled + + + + ErrorHandling.Missing + + + + + High + 3 + SAST + + 544 + + + catAbuseOfFunctionality + + + WB_maskAnomalies + + + errorMessagesReturned + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Missing Standardized Error Handling Mechanism + sample-php/config/php.ini:482 + sample-php/config/php.ini + None + 482 + 0 + 0c8355ff-748d-ef11-8473-000d3a0fc910 + 298355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → ErrorHandling.Missing + Location: → sample-php/config/php.ini:482 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + PathTraversal + + 1 + + + + Potential path traversal through variable argument + sample-php/src/db.php:42 + + + + file_get_contents($dbPassFile) + + + + + + + + + Potential path traversal through variable argument + High + + Potential path traversal through variable argument + + + + PathTraversal + + + + + High + 3 + SAST + + 73 + + + catPathTraversal + + + dataResourceDownload + WB_anyFileAccess + + + dotDotNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + PathTraversal + sample-php/src/db.php:42 + sample-php/src/db.php + None + 42 + 0 + 028355ff-748d-ef11-8473-000d3a0fc910 + 4c6fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → PathTraversal + Location: → sample-php/src/db.php:42 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + PathTraversal + + 1 + + + + Potential path traversal through variable argument + sample-php/src/secret.php:42 + + + + file_get_contents($secretKeyFile) + + + + + + + + + Potential path traversal through variable argument + High + + Potential path traversal through variable argument + + + + PathTraversal + + + + + High + 3 + SAST + + 73 + + + catPathTraversal + + + dataResourceDownload + WB_anyFileAccess + + + dotDotNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + PathTraversal + sample-php/src/secret.php:42 + sample-php/src/secret.php + None + 42 + 0 + 028355ff-748d-ef11-8473-000d3a0fc910 + a06fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → PathTraversal + Location: → sample-php/src/secret.php:42 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + PathTraversal + + 1 + + + + Potential path traversal through variable argument + sample-php/src/secret.php:63 + + + + file_get_contents($ivSeedFile) + + + + + + + + + Potential path traversal through variable argument + High + + Potential path traversal through variable argument + + + + PathTraversal + + + + + High + 3 + SAST + + 73 + + + catPathTraversal + + + dataResourceDownload + WB_anyFileAccess + + + dotDotNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + PathTraversal + sample-php/src/secret.php:63 + sample-php/src/secret.php + None + 63 + 0 + 028355ff-748d-ef11-8473-000d3a0fc910 + a36fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → PathTraversal + Location: → sample-php/src/secret.php:63 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + PrivilegeEscalation + + 1 + + + + No non-root USER specified in Dockerfile configuration + sample-php/Dockerfile:1 + + + + FROM php:7.4-apache + + + + + + + + + No non-root USER specified in Dockerfile configuration + High + + No non-root USER specified in Dockerfile configuration + + + + PrivilegeEscalation + + + + + High + 3 + SAST + + 266 + + + catInsufficientAuthentication + + + privilegeEscalation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + PrivilegeEscalation + sample-php/Dockerfile:1 + sample-php/Dockerfile + None + 1 + 0 + 098355ff-748d-ef11-8473-000d3a0fc910 + 1a8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → PrivilegeEscalation + Location: → sample-php/Dockerfile:1 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminApplicationOwners.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminApplicationOwners.php:96 + sample-php/src/adminApplicationOwners.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 4d8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminApplicationOwners.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminApplicationTypes.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminApplicationTypes.php:96 + sample-php/src/adminApplicationTypes.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 508355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminApplicationTypes.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminBusinessUnits.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminBusinessUnits.php:96 + sample-php/src/adminBusinessUnits.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 538355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminBusinessUnits.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminCodeLanguages.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminCodeLanguages.php:96 + sample-php/src/adminCodeLanguages.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 568355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminCodeLanguages.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminDataClassifications.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminDataClassifications.php:96 + sample-php/src/adminDataClassifications.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 598355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminDataClassifications.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminDeploymentEnvironments.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminDeploymentEnvironments.php:96 + sample-php/src/adminDeploymentEnvironments.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 5c8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminDeploymentEnvironments.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminExposureLevels.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminExposureLevels.php:96 + sample-php/src/adminExposureLevels.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + a28355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminExposureLevels.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminLifecycleStages.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminLifecycleStages.php:96 + sample-php/src/adminLifecycleStages.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + a58355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminLifecycleStages.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminRiskLevels.php:96 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminRiskLevels.php:96 + sample-php/src/adminRiskLevels.php + None + 96 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + a88355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminRiskLevels.php:96 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/adminUsers.php:98 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/adminUsers.php:98 + sample-php/src/adminUsers.php + None + 98 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + ae8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/adminUsers.php:98 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/applications.php:97 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/applications.php:97 + sample-php/src/applications.php + None + 97 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 436fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/applications.php:97 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/applications.php:101 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/applications.php:101 + sample-php/src/applications.php + None + 101 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 466fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/applications.php:101 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + CrossSiteScripting.Reflected + + 1 + + + + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/applications.php:105 + + + + ).attr("href", url) + + + + + + + + + JQuery Potentially Setting An Attribute With Tainted Data + High + + JQuery Potentially Setting An Attribute With Tainted Data + + + + CrossSiteScripting.Reflected + + + + + High + 3 + SAST + + 79 + + + catCrossSiteScripting + + + userImpersonation + + + hazardousCharactersNotSanitized + incorrectDataType + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Reflected Cross Site Scripting + sample-php/src/applications.php:105 + sample-php/src/applications.php + None + 105 + 0 + 038355ff-748d-ef11-8473-000d3a0fc910 + 496fa805-758d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → CrossSiteScripting.Reflected + Location: → sample-php/src/applications.php:105 + Severity: → High + Scanner: → AppScan Static Analyzer +
+ + + + + + AppDOS + + 1 + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + sample-php/config/php.ini:1108 + + + + odbc.max_persistent = -1 + + + + + + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + Medium + + The number of concurrent database connections (persistent or otherwise) has been set too high + + + + AppDOS + + + + + Medium + 2 + SAST + + 400 + + + catDenialOfService + + + denialOfService + + + boundsCheckingOnParamValues + inputLengthNotChecked + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + AppDOS + sample-php/config/php.ini:1108 + sample-php/config/php.ini + None + 1108 + 0 + 118355ff-748d-ef11-8473-000d3a0fc910 + 358355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AppDOS + Location: → sample-php/config/php.ini:1108 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + AppDOS + + 1 + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + sample-php/config/php.ini:1112 + + + + odbc.max_links = -1 + + + + + + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + Medium + + The number of concurrent database connections (persistent or otherwise) has been set too high + + + + AppDOS + + + + + Medium + 2 + SAST + + 400 + + + catDenialOfService + + + denialOfService + + + boundsCheckingOnParamValues + inputLengthNotChecked + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + AppDOS + sample-php/config/php.ini:1112 + sample-php/config/php.ini + None + 1112 + 0 + 118355ff-748d-ef11-8473-000d3a0fc910 + 388355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AppDOS + Location: → sample-php/config/php.ini:1112 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + AppDOS + + 1 + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + sample-php/config/php.ini:1129 + + + + mysqli.max_persistent = -1 + + + + + + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + Medium + + The number of concurrent database connections (persistent or otherwise) has been set too high + + + + AppDOS + + + + + Medium + 2 + SAST + + 400 + + + catDenialOfService + + + denialOfService + + + boundsCheckingOnParamValues + inputLengthNotChecked + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + AppDOS + sample-php/config/php.ini:1129 + sample-php/config/php.ini + None + 1129 + 0 + 118355ff-748d-ef11-8473-000d3a0fc910 + 3b8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AppDOS + Location: → sample-php/config/php.ini:1129 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + AppDOS + + 1 + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + sample-php/config/php.ini:1141 + + + + mysqli.max_links = -1 + + + + + + + + + The number of concurrent database connections (persistent or otherwise) has been set too high + Medium + + The number of concurrent database connections (persistent or otherwise) has been set too high + + + + AppDOS + + + + + Medium + 2 + SAST + + 400 + + + catDenialOfService + + + denialOfService + + + boundsCheckingOnParamValues + inputLengthNotChecked + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + AppDOS + sample-php/config/php.ini:1141 + sample-php/config/php.ini + None + 1141 + 0 + 118355ff-748d-ef11-8473-000d3a0fc910 + 3e8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AppDOS + Location: → sample-php/config/php.ini:1141 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + AccessControl.Bypass + + 1 + + + + The open_basedir directive has been set to an insecure value + sample-php/config/php.ini:302 + + + + open_basedir, if set, limits all file operations to the defined directory + + + + + + + + + The open_basedir directive has been set to an insecure value + Medium + + The open_basedir directive has been set to an insecure value + + + + AccessControl.Bypass + + + + + Medium + 2 + SAST + + 288 + + + catInsufficientAuthorization + + + privilegeEscalation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Authentication Bypass + sample-php/config/php.ini:302 + sample-php/config/php.ini + None + 302 + 0 + 0a8355ff-748d-ef11-8473-000d3a0fc910 + 1d8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AccessControl.Bypass + Location: → sample-php/config/php.ini:302 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + AccessControl.Bypass + + 1 + + + + The open_basedir directive has been set to an insecure value + sample-php/config/php.ini:338 + + + + open_basedir is set, the cache is disabled + + + + + + + + + The open_basedir directive has been set to an insecure value + Medium + + The open_basedir directive has been set to an insecure value + + + + AccessControl.Bypass + + + + + Medium + 2 + SAST + + 288 + + + catInsufficientAuthorization + + + privilegeEscalation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Authentication Bypass + sample-php/config/php.ini:338 + sample-php/config/php.ini + None + 338 + 0 + 0a8355ff-748d-ef11-8473-000d3a0fc910 + 238355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → AccessControl.Bypass + Location: → sample-php/config/php.ini:338 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + Configuration + + 1 + + + + Insecure use of Base image version detected in Dockerfile + sample-php/Dockerfile:1 + + + + FROM php:7.4-apache + + + + + + + + + Insecure use of Base image version detected in Dockerfile + Medium + + Insecure use of Base image version detected in Dockerfile + + + + Configuration + + + + + Medium + 2 + SAST + + 16 + + + catApplicationMisconfiguration + + + sensitiveInformation + + + insecureWebAppConfiguration + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Configuration + sample-php/Dockerfile:1 + sample-php/Dockerfile + None + 1 + 0 + 058355ff-748d-ef11-8473-000d3a0fc910 + 178355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Configuration + Location: → sample-php/Dockerfile:1 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + Logging + + 1 + + + + The ignore_repeated_errors directive has been disabled + sample-php/config/php.ini:511 + + + + ignore_repeated_errors = Off + + + + + + + + + The ignore_repeated_errors directive has been disabled + Medium + + The ignore_repeated_errors directive has been disabled + + + + Logging + + + + + Medium + 2 + SAST + + 778 + + + catInsufficientAuthentication + + + WB_maskAnomalies + + + boundsCheckingOnParamValues + incorrectDataType + inputLengthNotChecked + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Logging + sample-php/config/php.ini:511 + sample-php/config/php.ini + None + 511 + 0 + 0d8355ff-748d-ef11-8473-000d3a0fc910 + 2c8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Logging + Location: → sample-php/config/php.ini:511 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + Privacy + + 1 + + + + The expose_php directive is enabled + sample-php/config/php.ini:379 + + + + expose_php = On + + + + + + + + + The expose_php directive is enabled + Medium + + The expose_php directive is enabled + + + + Privacy + + + + + Medium + 2 + SAST + + 359 + + + catInformationLeakage + + + sensitiveInformation + + + WB_InformationLeakage + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Privacy + sample-php/config/php.ini:379 + sample-php/config/php.ini + None + 379 + 0 + 108355ff-748d-ef11-8473-000d3a0fc910 + 268355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Privacy + Location: → sample-php/config/php.ini:379 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + SessionManagement.Cookies + + 1 + + + + The session.cookie_lifetime directive is set to zero + sample-php/config/php.ini:1365 + + + + session.cookie_lifetime = 0 + + + + + + + + + The session.cookie_lifetime directive is set to zero + Medium + + The session.cookie_lifetime directive is set to zero + + + + SessionManagement.Cookies + + + + + Medium + 2 + SAST + + 565 + + + catCredentialSessionPrediction + + + sessionCookieNotRAM + unsecureCookieInSSL + userImpersonation + + + insecureWebAppConfiguration + nonSecureCookiesSentOverSSL + sessionCookieNotRAM + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + SessionManagement.Cookies + sample-php/config/php.ini:1365 + sample-php/config/php.ini + None + 1365 + 0 + 078355ff-748d-ef11-8473-000d3a0fc910 + 478355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → SessionManagement.Cookies + Location: → sample-php/config/php.ini:1365 + Severity: → Medium + Scanner: → AppScan Static Analyzer +
+ + + + + + Communications.Unencrypted + + 1 + + + + Open communications scheme detected + sample-php/src/about.php:44 + + + + "http://wenzhixin.net.cn/" + + + + + + + + + Open communications scheme detected + Low + + Open communications scheme detected + + + + Communications.Unencrypted + + + + + Low + 1 + SAST + + 311 + + + catInformationLeakage + + + sensitiveInformation + sensitiveNotOverSSL + + + GETParamOverSSL + insecureWebAppConfiguration + sensitiveDataNotSSL + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Missing Encryption of Sensitive Data + sample-php/src/about.php:44 + sample-php/src/about.php + None + 44 + 0 + 128355ff-748d-ef11-8473-000d3a0fc910 + 4a8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Communications.Unencrypted + Location: → sample-php/src/about.php:44 + Severity: → Low + Scanner: → AppScan Static Analyzer +
+ + + + + + Communications.Unencrypted + + 1 + + + + Open communications scheme detected + sample-php/src/adminUsers.php:35 + + + + "http://<?php echo $_SERVER[' + + + + + + + + + Open communications scheme detected + Low + + Open communications scheme detected + + + + Communications.Unencrypted + + + + + Low + 1 + SAST + + 311 + + + catInformationLeakage + + + sensitiveInformation + sensitiveNotOverSSL + + + GETParamOverSSL + insecureWebAppConfiguration + sensitiveDataNotSSL + + Open + Friday, October 18, 2024 + Friday, October 18, 2024 + Missing Encryption of Sensitive Data + sample-php/src/adminUsers.php:35 + sample-php/src/adminUsers.php + None + 35 + 0 + 128355ff-748d-ef11-8473-000d3a0fc910 + ab8355ff-748d-ef11-8473-000d3a0fc910 + + + 10/18/2024 17:18:37 +
+ IssueTypeName: → Communications.Unencrypted + Location: → sample-php/src/adminUsers.php:35 + Severity: → Low + Scanner: → AppScan Static Analyzer +
+ + + + + + + 2024-10-18 17:18:37Z + The open_basedir directive has been set to an insecure value + sample-php/config/php.ini + AccessControl.Bypass + Authentication Bypass + + + 2024-10-18 17:18:37Z + Verify Session Data Stored in A Secure Directory + sample-php/config/php.ini + AccessControl.Bypass + Authentication Bypass + + + 2024-10-18 17:18:37Z + The number of concurrent database connections (persistent or otherwise) has been set too high + sample-php/config/php.ini + AppDOS + AppDOS + + + 2024-10-18 17:18:37Z + Open communications scheme detected + sample-php/src/about.php + Communications.Unencrypted + Missing Encryption of Sensitive Data + + + 2024-10-18 17:18:37Z + Insecure use of Base image version detected in Dockerfile + sample-php/Dockerfile + Configuration + Configuration + + + 2024-10-18 17:18:37Z + The disable_functions parameter is empty + sample-php/config/php.ini + Configuration + Configuration + + + 2024-10-18 17:18:37Z + Potential user controlled data within PHP converted to HTML + sample-php/src/editApplicationForm.php + CrossSiteScripting + Cross-Site Scripting + + + 2024-10-18 17:18:37Z + Potential XSS vulnerability detected in jQuery.append() method + sample-php/src/manageApplicationIntegrations.php + CrossSiteScripting + Cross-Site Scripting + + + 2024-10-18 17:18:37Z + JQuery Potentially Setting An Attribute With Tainted Data + sample-php/src/applications.php + CrossSiteScripting.Reflected + Reflected Cross Site Scripting + + + 2024-10-18 17:18:37Z + The display_errors directive has been enabled + sample-php/config/php.ini + ErrorHandling.Missing + Missing Standardized Error Handling Mechanism + + + 2024-10-18 17:18:37Z + The allow_url_fopen directive is enabled + sample-php/config/php.ini + Injection + Injection + + + 2024-10-18 17:18:37Z + The file_uploads directive is enabled + sample-php/config/php.ini + Injection + Injection + + + 2024-10-18 17:18:37Z + The ignore_repeated_errors directive has been disabled + sample-php/config/php.ini + Logging + Logging + + + 2024-10-18 17:18:37Z + Potential path traversal through variable argument + sample-php/src/db.php + PathTraversal + PathTraversal + + + 2024-10-18 17:18:37Z + The expose_php directive is enabled + sample-php/config/php.ini + Privacy + Privacy + + + 2024-10-18 17:18:37Z + No non-root USER specified in Dockerfile configuration + sample-php/Dockerfile + PrivilegeEscalation + PrivilegeEscalation + + + 2024-10-18 17:18:37Z + The session.cookie_lifetime directive is set to zero + sample-php/config/php.ini + SessionManagement.Cookies + SessionManagement.Cookies + + + diff --git a/unittests/scans/hcl_asoc_sast/no_issues.xml b/unittests/scans/hcl_asoc_sast/no_issues.xml new file mode 100644 index 00000000000..57801a47ddf --- /dev/null +++ b/unittests/scans/hcl_asoc_sast/no_issues.xml @@ -0,0 +1,630 @@ + + + + added + added to request: + Additional Data: + Advisories + Affected Products: + Vulnerable URLs + Concurrent Logins: + Application Data + Application Server: + AppScan Severity + Harmless + This request/response contains binary content, which is not included in generated reports. + Body + Failed Requests + Cause + Causes + Causes: + Id + Name + The following weak cipher suites are supported by the server: + Code + Comment + Comments + Cookie + Cookies + CVE: + CWE: + Detailed Summary + A detailed listing of the scan results, including all issue types found, all recommended remediation tasks, all vulnerable URLs, etc. This section is intended to provide a more detailed understanding of the security status of the application, as well as assist in scoping and prioritizing the work required to remedy issues found. + Tracked or session ID cookies: + Tracked or session ID parameters: + Difference: + Document Map + This report consists of the following sections: + Domain + .Net + JavaScript execution: + Entity + Entity: + Example + Summary + This section provides a high level view of the information gathered during the scan, using graphs or comparative numbers. It is intended to provide a general understanding of the security status of the application. + Expires + Filtered URLs + First Set + Fix + Fix: + Fix Recommendations + General + General Information + Header + High + High severity issues: + Host: + Index + Informational + Informational severity issues: + Introduction + Introduction and Objectives + General information about the scan, including the project name, purpose of the scan, etc. + Issue + Issues Sorted by Issue Type + Issues Sorted by URL + Issues detected across + Issue Type + Issue Types + Issue Types + J2EE + JavaScripts + Login Settings + Low + Low severity issues: + Malicious + manipulated from: + Medium + Medium severity issues: + Method + Name + New URLs + Report Produced on Tree node: + this is now the same as the one below - should be removed + Number of Issues + Objectives + AppScan performs real-time security assessments on web applications. These assessments aim to uncover any security issues in the application, explain the impact and risks associated with these issues, and provide guidance in planning and prioritizing remediation. The objective of this assignment was to perform controlled attack and penetration activities to assess the overall level of security of the application. + of + Operating system: + Original Request + Original Requests and Responses: + Original Response + Parameter + Parameters + Path + PHP + Query + Raw Test Response: + Reason + Reasoning: + Login sequence: + References: + Regulations + Remaining URLs + Remediation Task + removed + removed from request: + Removed URLs + Comprehensive Security Report + AppScan Web Application Security Report + Requested URL + Request + Response + Risk + Risk: + Rules: + Scan started: + Scan file name: + Sections + sections of the regulation: + Violated Section + GDPR Articles + Section Violation by Issue + Secure + Detailed Security Issues by Sections + Security Risks + Security Risks: + Login method: + In-session detection: + In-session pattern: + Severity + Severity: + Unique issues detected across + SSL Version + Table of Contents + Test Description: + Test Login + Test policy: + Test Request: + Test Requests and Responses: + Test Response (first) + Test Response + Test Response (last) + Test Response (next-to-last) + Technical Description: + Test Type: + Threat + WASC Threat Classification + Threat Classification: + TOC + to: + Total security issues included in the report: + Total security issues: + total security issues + Type + Unwanted + URL + URL: + Valid Login + Value + Variant + Visited URLs + Vulnerable URLs + Web server: + Issue Types that this task fixes + Simulation of the pop-up that appears when this page is opened in a browser + Location + Intent Action: + Intent Class: + Intent Data: + Intent Extra: + Intent Package: + Payload + Issues: + Method Signature: + Issue Validation Parameters: + Thread: + Timestamp: + Trace: + Issue Information + This issue was detected by AppScan's Mobile Analyzer. + Call Stack: + Header: + XML: + File Name: + File Permission: + Synopsis: + Dump: + Manifest: + Request: + Method Information + Signature: + File: + Name: + Permissions: + Class + Function + Line + Created by: + Summary of security issues + Issues + Go to Table of Contents + Issue Types: + Application Version: + Scan Name: + First Variant: + Variants Found: + OWASP: + X-Force: + (Only the first one is displayed) + No security issues discovered in the scan + Scan status: + Note that the scan on which this report is based was not completed. + Success + Refer to the site for more details. + Sink + Source + OWASP Top 10 + File Path: + Reference: + Free Plan + Please Note: + This summary report was created with the Application Security Analyzer Free Plan. Once you purchase the full service you will have access to a complete report with detailed descriptions of the issues found and how to remediate them. + Activities: + Coverage + Activities + This report includes important security information about your mobile application. + Fix Recommendations: + Component + Glossary + Privacy: + Symbols Found: + Mobile Application Report + Class Signature: + Defining Class + Controllable Object Fields: + Receivers: + Services: + Receivers + Services + Method Signature: + Issue Information: + Settings For Target: + Provider: + Sample Report + Login Mode: + Views: + Views + None + Automatic + Manual + Calling Line + Calling Method + Class + Classification + Critical + Date Created + Discovery Method + Last Updated + Package + Scans: + Severity Value + Status + API + Element + Scheme + Sink: + Source: + Trace + Source File + Access Complexity + Access Vector + Authentication + Availability Impact + Confidentiality Impact + CVE + CVSS + Description + Exploitability + Integrity Impact + Summary + Activities that were tested for security vulnerabilities, as defined in the app's manifest. + Issue Types that ASoC has tested your application for. + Receivers that were tested for security vulnerabilities, as defined in the app's manifest. + Services that were tested for security vulnerabilities, as defined in the app's manifest. + Titles of Views encountered when crawling the app. + Leaked Information: + Password: + User Name: + Mitigation: + Alternate Fix Suggestions + This method is a part of the application code and appears in each of the grouped issue's traces. You should begin investigating a possible fix in the implementation of the method. + This method is a third-party API, with a common caller in each of the grouped issue's traces. You should begin investigating a possible fix at the caller: + Replace/Repair Vulnerable OpenSource: + Please refer to the details of this issue for fix recommendations. + Business Impact: + Created: + Security Report for: + Regulation Report for: + Notes: + - Details + - Discussion + Contains: + {0} issues + (out of {0}) + - Audit Trail + Cause: + HCL Application Security on Cloud, Version + Directory: + Constant Value: + Found in: + Informational + Low + Medium + High + Critical + User Supplied Credit Card Number: + User Supplied Id: + User Supplied Input: + User Supplied Password: + User Supplied Phone Number: + User Supplied User Name: + - Fix Recommendation + Included for each issue separately. + Port: + Application Name: + Copyleft: + Copyright Risk: + Date: + Library Name: + License Name: + Open Source Report + Licenses + Linking: + Patent Risk: + Reference Type: + Reference URL: + Risk Level: + Libraries with high risk level: + Libraries with low risk level: + Libraries with medium risk level: + Libraries with unknown risk level: + Royalty Free: + Total Open Source Libraries: + AppScan on Cloud + Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, regardless of whether the code is dynamically or statically linked. (example: GPL). Attribution and/or license terms may be required. + Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. These licenses include LGPL and GPL with Class Path Exception, as examples. Attribution and/or license terms may be required. + Anyone may use the code without restriction. + Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero). Attribution and/or license terms may be required. + Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero). Attribution and/or license terms may be required. + Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available. Attribution and/or license terms may also be required. + Anyone who distributes the code must provide certain notices as described in the license. These generally require providing attributions and/or license terms with the software. + Specific identified patent risks + Royalty free and no identified patent risks + No patents granted + Royalty free unless litigated + Report created at: + Report for scan: + Open source library name + Risk level + Security Report + Open Source Libraries + Unknown + Reference + In this section you’ll find more details about the fields and their values. + Disabled + Enabled + None + Automatic + Prompt + Recorded login + Unknown + (Modified) + Any + Unknown + Sample Trace + License Type + Scan Security Report + This report lists all the open source libraries found in your scan, and their associated open source Risk Levels. + + Open Source Risk Levels are not the same as the Risk Levels in Security Reports, and not related to the vulnerabilities of specific issues. + You can see if any of the libraries have known vulnerabilities in Issue Management view. + Number Of Libraries + Report Date: + Scanned under Application: + Scan Start Date: + Total Open Source License Types: + Details + Threat Classification: + Fix Groups: + Implementation of {0} + Usage of {0} via {1} + Fix Group #{0}: {1} + This section groups {0} issues of type {1} with significant commonality in the their traces. + This section groups {0} issues with significant commonality in their traces. The following issue types are included: + This section groups {0} issues of type {1} with a common opensource file. + This section groups {0} issues with a common opensource file. The following issue types are included: + These issues are grouped together to try to help you find a common fix that resolves them all. + These method calls are also common to the traces of the issues in this group. They represent other possible These method calls are also common to the traces of the issues in this group. They represent other possible locations to investigate a fix. + All {0} issues in this report appear to be independent, lacking the commonality required in their traces to be grouped together. They all appear in this section. + This section lists the remaining {0} issues that could not be included in any other fix groups. + The following issue types are included: + Ungrouped + Fix Recommendation + Library Version: + API: + at line + Call + Caller: + Description: + Name: + Example Trace: + File + Lost Sink + Not a Validator + Sample Trace + Publish date: + Resolution: + Source and Sink + Tainted Arg + Taint Propagator + via + Virtual Lost Sink + Test Optimization: + Normal + Optimized + Issue ID: + Compliance Security Report + Undefined + Undefined + Title: + Report Date UTC: + Fix Group ID: + Method: + Query String: + URI: + Arguments: + Call Trace: + Object: + Return: + Stack: + Type: + By Fix Groups: + By Issue Types: + Fix-Groups + Library: + Location: + Status: + Common API Call: + Common Fix Point: + Common Open Source: + Common Fix Point: + OpenSource + API: + Location of fix: + Library name: + Location of fix: + Advisory: + Custom Advisory: + Hosts + Fast + Faster + Fastest + No Optimization + How to Fix: + Report Name: + Technology: + Scan Information + General Advisory: + Finding specific advisory: + Example: + Exploit Example: + (none) + Not applicable for this issue. + HTTP Only + JS Stack Trace + Same Site + False + True + (Mixed) + Articles + CWE + Exploit example + External references + Recommendations + Language: + How to Fix + See also issue-details 'Resolution' section below. + Mitigation + Important: + Note: The number of issues found exceeded the maximum that can be shown in a single set of results. +The scan results show {0} representitive issues. + Personal Scan + Personal Scans are deleted after {0} days, unless promoted to the application within that time. + Additional Information: + Fixed + In Progress + New + Noise + Open + Passed + Reopened + Definitive + Scan Coverage Findings + Suspect + Cipher Suites: + ID + Fix recommendation + Default (Production) + Default (Staging) + Default + Body + Cookie + Global + Header + Header Name + Link + Other + Page + Parameter + Parameter Name + Query + Role + Source Line + Unspecified + Critical + High + Low + Medium + Unspecified + Report for application: + This report lists all the open source libraries found in your application, and their associated open source Risk Levels. + License Details + Library Name + Version + Undefined + Critical severity issues: + Copyleft applies on modifications as well as own code that uses the open-source software. + Non-copyleft license. + Copyleft applies only to modifications. + Undefined + Dynamic linking will not infect the linking code. + The licensing of the linking code will remain unaffected. + Undefined + Linking will infect the code linking code. + Alpine + Arch Linux + Bower + Build Configuration File + Details available in CDNJS + Debian + .NET + Eclipse OSGI Bundle + Details available in GitHub repository + License information in host site + License File + Node package manager + NuGet Package + Other + POM file + Project Home Page + Python Package Index + Readme File + RPM + RubyGems + License assigned manually by a user in the organization + Undefined + High + Low + Medium + Undefined + Unknown + Royalty-free unless litigated. + No patents granted. + Royalty-free and no identified patent risks. + Undefined severity issues: + Last Found + CVSS Version + Total Items: + IAST call stack: + Undefined + - Comments + Method: + Both + Config + Hash + Dependency Root: + Source-file and Package-manager + Package-manager + Source-file + None + + + + + HCL + Application Security on Cloud + python-sample + Unspecified + Friday, October 18, 2024 + FullReport + 0 + False + 30 + 20000 + False + ASoC + + + 1 + 1 + 1 + 1 + 0 + 1 + 1 + 0 + 0 + 0 + 0 + 0 + 0 + + + + + + + + \ No newline at end of file diff --git a/unittests/scans/hcl_asoc_sast/one_issue.xml b/unittests/scans/hcl_asoc_sast/one_issue.xml new file mode 100644 index 00000000000..237341c42da --- /dev/null +++ b/unittests/scans/hcl_asoc_sast/one_issue.xml @@ -0,0 +1,704 @@ + + + + added + added to request: + Additional Data: + Advisories + Affected Products: + Vulnerable URLs + Concurrent Logins: + Application Data + Application Server: + AppScan Severity + Harmless + This request/response contains binary content, which is not included in generated reports. + Body + Failed Requests + Cause + Causes + Causes: + Id + Name + The following weak cipher suites are supported by the server: + Code + Comment + Comments + Cookie + Cookies + CVE: + CWE: + Detailed Summary + A detailed listing of the scan results, including all issue types found, all recommended remediation tasks, all vulnerable URLs, etc. This section is intended to provide a more detailed understanding of the security status of the application, as well as assist in scoping and prioritizing the work required to remedy issues found. + Tracked or session ID cookies: + Tracked or session ID parameters: + Difference: + Document Map + This report consists of the following sections: + Domain + .Net + JavaScript execution: + Entity + Entity: + Example + Summary + This section provides a high level view of the information gathered during the scan, using graphs or comparative numbers. It is intended to provide a general understanding of the security status of the application. + Expires + Filtered URLs + First Set + Fix + Fix: + Fix Recommendations + General + General Information + Header + High + High severity issues: + Host: + Index + Informational + Informational severity issues: + Introduction + Introduction and Objectives + General information about the scan, including the project name, purpose of the scan, etc. + Issue + Issues Sorted by Issue Type + Issues Sorted by URL + Issues detected across + Issue Type + Issue Types + Issue Types + J2EE + JavaScripts + Login Settings + Low + Low severity issues: + Malicious + manipulated from: + Medium + Medium severity issues: + Method + Name + New URLs + Report Produced on Tree node: + this is now the same as the one below - should be removed + Number of Issues + Objectives + AppScan performs real-time security assessments on web applications. These assessments aim to uncover any security issues in the application, explain the impact and risks associated with these issues, and provide guidance in planning and prioritizing remediation. The objective of this assignment was to perform controlled attack and penetration activities to assess the overall level of security of the application. + of + Operating system: + Original Request + Original Requests and Responses: + Original Response + Parameter + Parameters + Path + PHP + Query + Raw Test Response: + Reason + Reasoning: + Login sequence: + References: + Regulations + Remaining URLs + Remediation Task + removed + removed from request: + Removed URLs + Comprehensive Security Report + AppScan Web Application Security Report + Requested URL + Request + Response + Risk + Risk: + Rules: + Scan started: + Scan file name: + Sections + sections of the regulation: + Violated Section + GDPR Articles + Section Violation by Issue + Secure + Detailed Security Issues by Sections + Security Risks + Security Risks: + Login method: + In-session detection: + In-session pattern: + Severity + Severity: + Unique issues detected across + SSL Version + Table of Contents + Test Description: + Test Login + Test policy: + Test Request: + Test Requests and Responses: + Test Response (first) + Test Response + Test Response (last) + Test Response (next-to-last) + Technical Description: + Test Type: + Threat + WASC Threat Classification + Threat Classification: + TOC + to: + Total security issues included in the report: + Total security issues: + total security issues + Type + Unwanted + URL + URL: + Valid Login + Value + Variant + Visited URLs + Vulnerable URLs + Web server: + Issue Types that this task fixes + Simulation of the pop-up that appears when this page is opened in a browser + Location + Intent Action: + Intent Class: + Intent Data: + Intent Extra: + Intent Package: + Payload + Issues: + Method Signature: + Issue Validation Parameters: + Thread: + Timestamp: + Trace: + Issue Information + This issue was detected by AppScan's Mobile Analyzer. + Call Stack: + Header: + XML: + File Name: + File Permission: + Synopsis: + Dump: + Manifest: + Request: + Method Information + Signature: + File: + Name: + Permissions: + Class + Function + Line + Created by: + Summary of security issues + Issues + Go to Table of Contents + Issue Types: + Application Version: + Scan Name: + First Variant: + Variants Found: + OWASP: + X-Force: + (Only the first one is displayed) + No security issues discovered in the scan + Scan status: + Note that the scan on which this report is based was not completed. + Success + Refer to the site for more details. + Sink + Source + OWASP Top 10 + File Path: + Reference: + Free Plan + Please Note: + This summary report was created with the Application Security Analyzer Free Plan. Once you purchase the full service you will have access to a complete report with detailed descriptions of the issues found and how to remediate them. + Activities: + Coverage + Activities + This report includes important security information about your mobile application. + Fix Recommendations: + Component + Glossary + Privacy: + Symbols Found: + Mobile Application Report + Class Signature: + Defining Class + Controllable Object Fields: + Receivers: + Services: + Receivers + Services + Method Signature: + Issue Information: + Settings For Target: + Provider: + Sample Report + Login Mode: + Views: + Views + None + Automatic + Manual + Calling Line + Calling Method + Class + Classification + Critical + Date Created + Discovery Method + Last Updated + Package + Scans: + Severity Value + Status + API + Element + Scheme + Sink: + Source: + Trace + Source File + Access Complexity + Access Vector + Authentication + Availability Impact + Confidentiality Impact + CVE + CVSS + Description + Exploitability + Integrity Impact + Summary + Activities that were tested for security vulnerabilities, as defined in the app's manifest. + Issue Types that ASoC has tested your application for. + Receivers that were tested for security vulnerabilities, as defined in the app's manifest. + Services that were tested for security vulnerabilities, as defined in the app's manifest. + Titles of Views encountered when crawling the app. + Leaked Information: + Password: + User Name: + Mitigation: + Alternate Fix Suggestions + This method is a part of the application code and appears in each of the grouped issue's traces. You should begin investigating a possible fix in the implementation of the method. + This method is a third-party API, with a common caller in each of the grouped issue's traces. You should begin investigating a possible fix at the caller: + Replace/Repair Vulnerable OpenSource: + Please refer to the details of this issue for fix recommendations. + Business Impact: + Created: + Security Report for: + Regulation Report for: + Notes: + - Details + - Discussion + Contains: + {0} issues + (out of {0}) + - Audit Trail + Cause: + HCL Application Security on Cloud, Version + Directory: + Constant Value: + Found in: + Informational + Low + Medium + High + Critical + User Supplied Credit Card Number: + User Supplied Id: + User Supplied Input: + User Supplied Password: + User Supplied Phone Number: + User Supplied User Name: + - Fix Recommendation + Included for each issue separately. + Port: + Application Name: + Copyleft: + Copyright Risk: + Date: + Library Name: + License Name: + Open Source Report + Licenses + Linking: + Patent Risk: + Reference Type: + Reference URL: + Risk Level: + Libraries with high risk level: + Libraries with low risk level: + Libraries with medium risk level: + Libraries with unknown risk level: + Royalty Free: + Total Open Source Libraries: + AppScan on Cloud + Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, regardless of whether the code is dynamically or statically linked. (example: GPL). Attribution and/or license terms may be required. + Anyone who distributes a modification of the code or a product that is based on or contains part of the code may be required to make publicly available the source code for the product or modification, subject to an exception for software that dynamically links to the original code. These licenses include LGPL and GPL with Class Path Exception, as examples. Attribution and/or license terms may be required. + Anyone may use the code without restriction. + Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero). Attribution and/or license terms may be required. + Anyone who develops a product that is based on or contains part of the code, or who modifies the code, may be required to make publicly available the source code for that product or modification if s/he (a) distributes the software or (b) enables others to use the software via hosted or web services. (example: Affero). Attribution and/or license terms may be required. + Anyone who distributes a modification of the code may be required to make the source code for the modification publicly available. Attribution and/or license terms may also be required. + Anyone who distributes the code must provide certain notices as described in the license. These generally require providing attributions and/or license terms with the software. + Specific identified patent risks + Royalty free and no identified patent risks + No patents granted + Royalty free unless litigated + Report created at: + Report for scan: + Open source library name + Risk level + Security Report + Open Source Libraries + Unknown + Reference + In this section you’ll find more details about the fields and their values. + Disabled + Enabled + None + Automatic + Prompt + Recorded login + Unknown + (Modified) + Any + Unknown + Sample Trace + License Type + Scan Security Report + This report lists all the open source libraries found in your scan, and their associated open source Risk Levels. + + Open Source Risk Levels are not the same as the Risk Levels in Security Reports, and not related to the vulnerabilities of specific issues. + You can see if any of the libraries have known vulnerabilities in Issue Management view. + Number Of Libraries + Report Date: + Scanned under Application: + Scan Start Date: + Total Open Source License Types: + Details + Threat Classification: + Fix Groups: + Implementation of {0} + Usage of {0} via {1} + Fix Group #{0}: {1} + This section groups {0} issues of type {1} with significant commonality in the their traces. + This section groups {0} issues with significant commonality in their traces. The following issue types are included: + This section groups {0} issues of type {1} with a common opensource file. + This section groups {0} issues with a common opensource file. The following issue types are included: + These issues are grouped together to try to help you find a common fix that resolves them all. + These method calls are also common to the traces of the issues in this group. They represent other possible These method calls are also common to the traces of the issues in this group. They represent other possible locations to investigate a fix. + All {0} issues in this report appear to be independent, lacking the commonality required in their traces to be grouped together. They all appear in this section. + This section lists the remaining {0} issues that could not be included in any other fix groups. + The following issue types are included: + Ungrouped + Fix Recommendation + Library Version: + API: + at line + Call + Caller: + Description: + Name: + Example Trace: + File + Lost Sink + Not a Validator + Sample Trace + Publish date: + Resolution: + Source and Sink + Tainted Arg + Taint Propagator + via + Virtual Lost Sink + Test Optimization: + Normal + Optimized + Issue ID: + Compliance Security Report + Undefined + Undefined + Title: + Report Date UTC: + Fix Group ID: + Method: + Query String: + URI: + Arguments: + Call Trace: + Object: + Return: + Stack: + Type: + By Fix Groups: + By Issue Types: + Fix-Groups + Library: + Location: + Status: + Common API Call: + Common Fix Point: + Common Open Source: + Common Fix Point: + OpenSource + API: + Location of fix: + Library name: + Location of fix: + Advisory: + Custom Advisory: + Hosts + Fast + Faster + Fastest + No Optimization + How to Fix: + Report Name: + Technology: + Scan Information + General Advisory: + Finding specific advisory: + Example: + Exploit Example: + (none) + Not applicable for this issue. + HTTP Only + JS Stack Trace + Same Site + False + True + (Mixed) + Articles + CWE + Exploit example + External references + Recommendations + Language: + How to Fix + See also issue-details 'Resolution' section below. + Mitigation + Important: + Note: The number of issues found exceeded the maximum that can be shown in a single set of results. +The scan results show {0} representitive issues. + Personal Scan + Personal Scans are deleted after {0} days, unless promoted to the application within that time. + Additional Information: + Fixed + In Progress + New + Noise + Open + Passed + Reopened + Definitive + Scan Coverage Findings + Suspect + Cipher Suites: + ID + Fix recommendation + Default (Production) + Default (Staging) + Default + Body + Cookie + Global + Header + Header Name + Link + Other + Page + Parameter + Parameter Name + Query + Role + Source Line + Unspecified + Critical + High + Low + Medium + Unspecified + Report for application: + This report lists all the open source libraries found in your application, and their associated open source Risk Levels. + License Details + Library Name + Version + Undefined + Critical severity issues: + Copyleft applies on modifications as well as own code that uses the open-source software. + Non-copyleft license. + Copyleft applies only to modifications. + Undefined + Dynamic linking will not infect the linking code. + The licensing of the linking code will remain unaffected. + Undefined + Linking will infect the code linking code. + Alpine + Arch Linux + Bower + Build Configuration File + Details available in CDNJS + Debian + .NET + Eclipse OSGI Bundle + Details available in GitHub repository + License information in host site + License File + Node package manager + NuGet Package + Other + POM file + Project Home Page + Python Package Index + Readme File + RPM + RubyGems + License assigned manually by a user in the organization + Undefined + High + Low + Medium + Undefined + Unknown + Royalty-free unless litigated. + No patents granted. + Royalty-free and no identified patent risks. + Undefined severity issues: + Last Found + CVSS Version + Total Items: + IAST call stack: + Undefined + - Comments + Method: + Both + Config + Hash + Dependency Root: + Source-file and Package-manager + Package-manager + Source-file + None + + + + + HCL + Application Security on Cloud + sample-web + Unspecified + Wednesday, October 16, 2024 + FullReport + 1 + False + 30 + 20000 + False + ASoC + + + 1 + 1 + 1 + 1 + 1 + 1 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + + + + PrivilegeEscalation + + + + + + + + + PrivilegeEscalation + + 1 + + + + No non-root USER specified in Dockerfile configuration + sample-web\Dockerfile:1 + + + + FROM public.ecr.aws/docker/library/python:latest + + + + + + + + + No non-root USER specified in Dockerfile configuration + High + + No non-root USER specified in Dockerfile configuration + + + + PrivilegeEscalation + + + + + High + 3 + SAST + + 266 + + + catInsufficientAuthentication + + + privilegeEscalation + + + insecureWebAppConfiguration + + Open + Wednesday, October 16, 2024 + Wednesday, October 16, 2024 + PrivilegeEscalation + sample-web\Dockerfile:1 + sample-web\Dockerfile + None + 1 + 0 + 522deb60-ea8b-ef11-8473-000d3a0fc910 + 5a2deb60-ea8b-ef11-8473-000d3a0fc910 + + + + + 2024-10-16 18:13:44Z + No non-root USER specified in Dockerfile configuration + sample-web\Dockerfile + PrivilegeEscalation + PrivilegeEscalation + + + diff --git a/unittests/tools/test_hcl_asoc_sast_parser.py b/unittests/tools/test_hcl_asoc_sast_parser.py new file mode 100644 index 00000000000..d9adbde8c24 --- /dev/null +++ b/unittests/tools/test_hcl_asoc_sast_parser.py @@ -0,0 +1,36 @@ +from dojo.tools.hcl_asoc_sast.parser import HCLASoCSASTParser +from unittests.dojo_test_case import DojoTestCase + + +class TestHCLASoCSASTParser(DojoTestCase): + + def test_no_findings(self): + my_file_handle = open("unittests/scans/hcl_asoc_sast/no_issues.xml", encoding="utf-8") + parser = HCLASoCSASTParser() + findings = parser.get_findings(my_file_handle, None) + my_file_handle.close() + self.assertEqual(0, len(findings)) + + def test_one_finding(self): + my_file_handle = open("unittests/scans/hcl_asoc_sast/one_issue.xml", encoding="utf-8") + parser = HCLASoCSASTParser() + findings = parser.get_findings(my_file_handle, None) + my_file_handle.close() + self.assertEqual(1, len(findings)) + self.assertEqual(findings[0].title, "PrivilegeEscalation") + self.assertEqual(findings[0].severity, "High") + self.assertEqual(findings[0].cwe, 266) + + def test_many_findings(self): + my_file_handle = open("unittests/scans/hcl_asoc_sast/many_issues.xml", encoding="utf-8") + parser = HCLASoCSASTParser() + findings = parser.get_findings(my_file_handle, None) + my_file_handle.close() + self.assertEqual(83, len(findings)) + self.assertEqual(findings[0].title, "Authentication Bypass") + self.assertEqual(findings[2].title, "Configuration") + self.assertEqual(findings[0].severity, "High") + self.assertEqual(findings[9].severity, "High") + self.assertEqual(findings[9].file_path, "sample-php/src/adminEditCodeLanguageForm.php") + self.assertEqual(findings[5].line, 48) + self.assertEqual(findings[9].cwe, 79) From 164964c97b2918b3e9be9c3de046e194f9381468 Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Thu, 5 Dec 2024 07:22:01 -0500 Subject: [PATCH 2/9] Update dojo/tools/hcl_asoc_sast/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/hcl_asoc_sast/parser.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index 4394131d6d8..40028afda50 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -114,8 +114,7 @@ def get_findings(self, file, test): if aitem.tag == "cause": description = description + "***Cause:" + "\n" for causeitem in aitem: - if causeitem.attrib["type"] == "string": - if causeitem.text is not None: + if causeitem.attrib["type"] == "string" and causeitem.text is not None: description = description + causeitem.text + "\n" if aitem.tag == "recommendations": for recitem in aitem: From 67911492cf3a87abe27d0560fb4ab26d67926e6a Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Thu, 5 Dec 2024 07:22:15 -0500 Subject: [PATCH 3/9] Update dojo/tools/hcl_asoc_sast/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/hcl_asoc_sast/parser.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index 40028afda50..3f95373b66f 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -118,8 +118,7 @@ def get_findings(self, file, test): description = description + causeitem.text + "\n" if aitem.tag == "recommendations": for recitem in aitem: - if recitem.attrib["type"] == "string": - if recitem.text is not None: + if recitem.attrib["type"] == "string" and recitem.text is not None: recommendations = recommendations + recitem.text + "\n" elif recitem.attrib["type"] == "object": codeblock = recitem.iter() From 7f273cdaa089a0870b2c35119cf8f09f3881ebdb Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Tue, 10 Dec 2024 13:51:20 +0000 Subject: [PATCH 4/9] refactoring for linter --- dojo/tools/hcl_asoc_sast/parser.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index 3f95373b66f..bca8c2c6e40 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -42,10 +42,7 @@ def get_findings(self, file, test): match item.tag: case "severity": output = self.xmltreehelper(item) - if output is None: - severity = "Info" - else: - severity = output.strip(" ").capitalize() + severity = "Info" if output is None else output.strip(" ").capitalize() case "cwe": cwe = int(self.xmltreehelper(item)) case "issue-type": From b91848440342a3833e7cdfc2a1470168986e6ed2 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 19 Dec 2024 09:38:28 -0600 Subject: [PATCH 5/9] Remove settings sha file --- dojo/settings/.settings.dist.py.sha256sum | 1 - 1 file changed, 1 deletion(-) delete mode 100644 dojo/settings/.settings.dist.py.sha256sum diff --git a/dojo/settings/.settings.dist.py.sha256sum b/dojo/settings/.settings.dist.py.sha256sum deleted file mode 100644 index a466f9a965a..00000000000 --- a/dojo/settings/.settings.dist.py.sha256sum +++ /dev/null @@ -1 +0,0 @@ -6fd36fcdf01e6881e5d97fbf37fe8e10b2aad8ac7878691f9e362cecc4eb7cca From a75285cb3a8c45e612ba411e2966284db8e2f645 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Thu, 19 Dec 2024 09:42:04 -0600 Subject: [PATCH 6/9] Fix indentions --- dojo/tools/hcl_asoc_sast/parser.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index bca8c2c6e40..72b8e232294 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -112,11 +112,11 @@ def get_findings(self, file, test): description = description + "***Cause:" + "\n" for causeitem in aitem: if causeitem.attrib["type"] == "string" and causeitem.text is not None: - description = description + causeitem.text + "\n" + description = description + causeitem.text + "\n" if aitem.tag == "recommendations": for recitem in aitem: if recitem.attrib["type"] == "string" and recitem.text is not None: - recommendations = recommendations + recitem.text + "\n" + recommendations = recommendations + recitem.text + "\n" elif recitem.attrib["type"] == "object": codeblock = recitem.iter() for codeitem in codeblock: From d678f4723c324b2b79fdaf7a87b2383ec5892ae8 Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Thu, 19 Dec 2024 15:54:29 -0500 Subject: [PATCH 7/9] Update dojo/tools/hcl_asoc_sast/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/hcl_asoc_sast/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index 72b8e232294..5f99082d46d 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -47,7 +47,7 @@ def get_findings(self, file, test): cwe = int(self.xmltreehelper(item)) case "issue-type": title = self.xmltreehelper(item).strip() - description = description + "***Issue-Type:" + title + "\n" + description = description + "**Issue-Type:** " + title + "\n" case "issue-type-name": title = self.xmltreehelper(item).strip() description = description + "***Issue-Type-Name:" + title + "\n" From ac0c66c51a654c4d416a92264835e79109388042 Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Thu, 19 Dec 2024 15:54:51 -0500 Subject: [PATCH 8/9] Update dojo/tools/hcl_asoc_sast/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/hcl_asoc_sast/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index 5f99082d46d..71fca169216 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -50,7 +50,7 @@ def get_findings(self, file, test): description = description + "**Issue-Type:** " + title + "\n" case "issue-type-name": title = self.xmltreehelper(item).strip() - description = description + "***Issue-Type-Name:" + title + "\n" + description = description + "**Issue-Type-Name:** " + title + "\n" case "source-file": location = self.xmltreehelper(item).strip() description = description + "***Location:" + location + "\n" From 4a9644d952e6a69e59c5f7e222d1e8b21f4dbe19 Mon Sep 17 00:00:00 2001 From: Matt Stanchek Date: Thu, 19 Dec 2024 15:55:10 -0500 Subject: [PATCH 9/9] Update dojo/tools/hcl_asoc_sast/parser.py Co-authored-by: Charles Neill <1749665+cneill@users.noreply.github.com> --- dojo/tools/hcl_asoc_sast/parser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dojo/tools/hcl_asoc_sast/parser.py b/dojo/tools/hcl_asoc_sast/parser.py index 71fca169216..9267b6ce04f 100644 --- a/dojo/tools/hcl_asoc_sast/parser.py +++ b/dojo/tools/hcl_asoc_sast/parser.py @@ -53,7 +53,7 @@ def get_findings(self, file, test): description = description + "**Issue-Type-Name:** " + title + "\n" case "source-file": location = self.xmltreehelper(item).strip() - description = description + "***Location:" + location + "\n" + description = description + "**Location:** " + location + "\n" case "line": line = int(self.xmltreehelper(item).strip()) description = description + "***Line:" + str(line) + "\n"