You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
---------------------------------- Found 4 issues of Medium severity. ---------------------------------- CWE-73: External Control of File Name or Path: org/gytheio/content/node/SimpleAmqpNodeBootstrap.java:72 Details: This call to java.io.FileInputStream.!operator_javanewinit() contains a path manipulation flaw. The argument to the function is a filename constructed using untrusted input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to !operator_javanewinit() contains tainted data from the variable propertiesFilePath. The tainted data originated from an earlier call to org.gytheio.content.node.SimpleAmqpNodeBootstrap.main.Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using blocklists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.References: CWEOWASP https://downloads.veracode.com/securityscan/cwe/v4/java/73.html CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): org/gytheio/content/node/SimpleAmqpNodeBootstrap.java:108 Details: This call to java.lang.ClassLoader.loadClass() uses reflection in an unsafe manner. An attacker can specify the class name to be instantiated, which may create unexpected control flow paths through the application. Depending on how reflection is being used, the attack vector may allow the attacker to bypass security checks or otherwise cause the application to behave in an unexpected manner. Even if the object does not implement the specified interface and a ClassCastException is thrown, the constructor of the untrusted class name will have already executed. The first argument to loadClass() contains tainted data from the variable workerClassName. The tainted data originated from an earlier call to java.io.FileInputStream.!ctor.Validate the class name against a combination of white and blocklists to ensure that only expected behavior is produced.References: CWEOWASP https://downloads.veracode.com/securityscan/cwe/v4/java/470.html CWE-256: Plaintext Storage of a Password: org/gytheio/content/node/AbstractComponentBootstrapFromProperties.java:92 Details: The java.util.Properties.getProperty() method reads and/or stores sensitive information in plaintext, making the data more susceptible to compromise.Never store sensitive data in plaintext. Consider using cryptographic hashes as an alternative to plaintext. References: CWE https://downloads.veracode.com/securityscan/cwe/v4/java/256.html CWE-256: Plaintext Storage of a Password: org/gytheio/content/node/AbstractComponentBootstrapFromProperties.java:93 Details: The java.util.Properties.getProperty() method reads and/or stores sensitive information in plaintext, making the data more susceptible to compromise.Never store sensitive data in plaintext. Consider using cryptographic hashes as an alternative to plaintext. References: CWE https://downloads.veracode.com/securityscan/cwe/v4/java/256.html ---------------------------------- Skipping 3 issues of Low severity. ----------------------------------
======================== FAILURE: Found 4 issues! ========================
[28 Nov 2023 11:30:43,0594] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/gytheio/gytheio/readable_results.txt'.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.