You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-------------------------------------------- Skipping 1 issues of Informational severity. -------------------------------------------- Total flaws found: 3, New flaws found: 0 as compared to baseline
================================== SUCCESS: No issues passed filters. ==================================
[09 Jan 2025 21:28:19,0667] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-community-repo/alfresco-community-repo/results.json'.
-------------------------------- Found 1 issues of High severity. -------------------------------- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): org/springframework/security/spring-security-webauthn.js:199 Details: This call to href() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis. Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP Java Encoder library and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.References: CWEOWASPSupported Cleansers https://downloads.veracode.com/securityscan/cwe/v4/java/80.html ---------------------------------- Found 1 issues of Medium severity. ---------------------------------- CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): org/springframework/security/spring-security-webauthn.js:199 Details: This call to href() contains a URL redirection to untrusted site flaw. Writing untrusted input into a URL value could cause the web application to redirect the request to the specified URL, leading to phishing attempts to steal user credentials.Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWEOWASP https://downloads.veracode.com/securityscan/cwe/v4/java/601.html -------------------------------------------- Skipping 1 issues of Informational severity. -------------------------------------------- Total flaws found: 5, New flaws found: 2 as compared to baseline
======================== FAILURE: Found 2 issues! ========================
[09 Jan 2025 21:53:10,0814] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-community-repo/alfresco-community-repo/results.json'.
SaraAspery
changed the title
Bump to veracode 1.0.17 and remove exclusions. Scan should fail
Bump to veracode 1.0.17 and remove exclusions
Jan 10, 2025
-------------------------------- Found 1 issues of High severity. -------------------------------- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): org/springframework/security/spring-security-webauthn.js:199 Details: This call to href() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis. Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP Java Encoder library and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.References: CWEOWASPSupported Cleansers https://downloads.veracode.com/securityscan/cwe/v4/java/80.html ---------------------------------- Found 1 issues of Medium severity. ---------------------------------- CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): org/springframework/security/spring-security-webauthn.js:199 Details: This call to href() contains a URL redirection to untrusted site flaw. Writing untrusted input into a URL value could cause the web application to redirect the request to the specified URL, leading to phishing attempts to steal user credentials.Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWEOWASP https://downloads.veracode.com/securityscan/cwe/v4/java/601.html -------------------------------------------- Skipping 1 issues of Informational severity. -------------------------------------------- Total flaws found: 5, New flaws found: 2 as compared to baseline
======================== FAILURE: Found 2 issues! ========================
[10 Jan 2025 00:45:09,0707] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-community-repo/alfresco-community-repo/results.json'.
-------------------------------- Found 1 issues of High severity. -------------------------------- CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS): org/springframework/security/spring-security-webauthn.js:199 Details: This call to href() contains a cross-site scripting (XSS) flaw. The application populates the HTTP response with untrusted input, allowing an attacker to embed malicious content, such as Javascript code, which will be executed in the context of the victim's browser. XSS vulnerabilities are commonly exploited to steal or manipulate cookies, modify presentation of content, and compromise confidential information, with new attack vectors being discovered on a regular basis. Use contextual escaping on all untrusted data before using it to construct any portion of an HTTP response. The escaping method should be chosen based on the specific use case of the untrusted data, otherwise it may not protect fully against the attack. For example, if the data is being written to the body of an HTML page, use HTML entity escaping; if the data is being written to an attribute, use attribute escaping; etc. Both the OWASP Java Encoder library and the Microsoft AntiXSS library provide contextual escaping methods. For more details on contextual escaping, see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md. In addition, as a best practice, always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.References: CWEOWASPSupported Cleansers https://downloads.veracode.com/securityscan/cwe/v4/java/80.html ---------------------------------- Found 1 issues of Medium severity. ---------------------------------- CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): org/springframework/security/spring-security-webauthn.js:199 Details: This call to href() contains a URL redirection to untrusted site flaw. Writing untrusted input into a URL value could cause the web application to redirect the request to the specified URL, leading to phishing attempts to steal user credentials.Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWEOWASP https://downloads.veracode.com/securityscan/cwe/v4/java/601.html -------------------------------------------- Skipping 1 issues of Informational severity. -------------------------------------------- Total flaws found: 5, New flaws found: 2 as compared to baseline
======================== FAILURE: Found 2 issues! ========================
[10 Jan 2025 20:54:11,0315] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-community-repo/alfresco-community-repo/results.json'.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
SaraAspery
changed the title
No description provided.