Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability fix (powered by Mobb Autofixer) #16

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Vulnerability fix (powered by Mobb Autofixer) #16

wants to merge 1 commit into from

Conversation

tomer-mobb
Copy link
Owner

Fix for Path Traversal in MavenWrapperDownloader.java done with the help of Mobb

@tomer-mobb
Copy link
Owner Author

Logo
Checkmarx One – Scan Summary & Detailsbb3bbbc1-d425-4e52-8515-0c918c4378df

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2013-7285 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-2.1.4 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-1.10.2 Vulnerable Package
HIGH CVE-2016-3674 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2017-7957 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26217 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26258 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21341 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21342 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21343 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21344 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21345 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21346 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21347 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21348 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21349 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21350 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21351 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-23358 Npm-underscore-1.10.2 Vulnerable Package
HIGH CVE-2021-29505 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39139 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39141 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39144 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39145 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39146 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39147 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39148 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39149 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39150 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39151 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39153 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39154 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-43859 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-1471 Maven-org.yaml:snakeyaml-1.33 Vulnerable Package
HIGH CVE-2022-40152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-41966 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2023-24998 Maven-commons-fileupload:commons-fileupload-1.4 Vulnerable Package
HIGH CVE-2023-2976 Maven-com.google.guava:guava-31.1-jre Vulnerable Package
HIGH CVE-2023-34034 Maven-org.springframework.security:spring-security-config-6.1.0 Vulnerable Package
HIGH CVE-2023-34053 Maven-org.springframework:spring-web-6.0.9 Vulnerable Package
HIGH CVE-2023-36478 Maven-org.eclipse.jetty:jetty-http-11.0.15 Vulnerable Package
HIGH CVE-2023-36478 Maven-org.eclipse.jetty.http2:http2-hpack-11.0.15 Vulnerable Package
HIGH CVE-2023-38286 Maven-org.thymeleaf:thymeleaf-3.1.1.RELEASE Vulnerable Package
HIGH CVE-2023-44487 Maven-org.eclipse.jetty.http2:http2-common-11.0.15 Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.4.7 Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.4.7 Vulnerable Package
HIGH Missing User Instruction /Dockerfile_desktop: 1 A user should be specified in the dockerfile, otherwise the image will run as root
MEDIUM APT-GET Missing '-y' To Avoid Manual Input /Dockerfile_desktop: 12 Check if apt-get calls use the flag -y to avoid user manual input.
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile_desktop: 12 When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile_desktop: 12 When installing a package, its pin version should be defined
MEDIUM CVE-2007-2379 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2007-2379 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2007-2379 Maven-org.webjars:jquery-3.5.1 Vulnerable Package
MEDIUM CVE-2014-6071 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2014-6071 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2014-6071 Maven-org.webjars:jquery-3.5.1 Vulnerable Package
MEDIUM CVE-2015-9251 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2015-9251 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2016-10735 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2016-7103 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2018-14040 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-14040 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2018-14042 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-14042 Maven-org.webjars:bootstrap-3.3.7 Vulnerable Package
MEDIUM CVE-2018-20676 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2018-20677 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2019-8331 Npm-bootstrap-3.1.1 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-26259 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-39140 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-41182 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41183 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41184 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2022-31160 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2023-34035 Maven-org.springframework.security:spring-security-config-6.1.0 Vulnerable Package
MEDIUM CVE-2023-34055 Maven-org.springframework.boot:spring-boot-3.1.0 Vulnerable Package
MEDIUM CVE-2023-36479 Maven-org.eclipse.jetty:jetty-servlets-11.0.15 Vulnerable Package
MEDIUM CVE-2023-40167 Maven-org.eclipse.jetty:jetty-http-11.0.15 Vulnerable Package
MEDIUM CVE-2023-41329 Maven-com.github.tomakehurst:wiremock-3.0.0-beta-2 Vulnerable Package
MEDIUM CVE-2023-51074 Maven-com.jayway.jsonpath:json-path-2.8.0 Vulnerable Package
MEDIUM Cleartext_Submission_of_Sensitive_Information /src/main/java/org/owasp/webgoat/lessons/hijacksession/HijackSessionAssignment.java: 64 Attack Vector
MEDIUM Cx3718d76a-e8e1 Maven-org.eclipse.jetty:jetty-xml-11.0.15 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-2.1.4 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-1.10.2 Vulnerable Package
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 41 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /test.yml: 62 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /test.yml: 54 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /test.yml: 45 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 83 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 75 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 102 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 143 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build.yml: 39 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build.yml: 53 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build.yml: 45 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 80 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build.yml: 42 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 89 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /release.yml: 135 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Chown Flag Exists /Dockerfile: 12 It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only e...
LOW Healthcheck Instruction Missing /Dockerfile: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Healthcheck Instruction Missing /Dockerfile_desktop: 1 Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW MAINTAINER Instruction Being Used /Dockerfile_desktop: 3 The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you sho...
LOW MAINTAINER Instruction Being Used /Dockerfile: 3 The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you sho...

Fixed Issues

Severity Issue Source File / Package
MEDIUM Client_Potential_XSS /src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js: 107
MEDIUM Client_Potential_XSS /src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js: 107
MEDIUM Client_Potential_XSS /src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js: 106
MEDIUM Client_Potential_XSS /src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js: 106
MEDIUM Client_Potential_XSS /src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js: 105
MEDIUM Client_Potential_XSS /src/main/resources/webgoat/static/js/goatApp/view/LessonContentView.js: 105
MEDIUM Client_Potential_XSS /src/main/resources/lessons/clientsidefiltering/js/clientSideFilteringFree.js: 9
LOW Client_DOM_Open_Redirect /src/main/resources/webgoat/static/js/libs/backbone-min.js: 1203
LOW Client_DOM_Open_Redirect /src/main/resources/webgoat/static/js/libs/backbone-min.js: 1203
LOW Client_DOM_Open_Redirect /src/main/resources/webgoat/static/js/libs/backbone-min.js: 1215
LOW Client_DOM_Open_Redirect /src/main/resources/webgoat/static/js/libs/backbone-min.js: 1203
LOW Client_DOM_Open_Redirect /src/main/resources/webgoat/static/js/libs/backbone-min.js: 1211
LOW Client_DOM_Open_Redirect /src/main/resources/webgoat/static/js/libs/backbone-min.js: 1203
LOW Client_JQuery_Deprecated_Symbols /src/main/resources/lessons/challenges/js/bootstrap.min.js: 332
LOW Client_JQuery_Deprecated_Symbols /src/main/resources/webgoat/static/js/libs/bootstrap.min.js: 505

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tomer-mobb