diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index 899db6e..b673504 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -13,15 +13,15 @@ jobs: strategy: fail-fast: false matrix: - java: [8, 11, 17] - scala: [2.12.x, 2.13.x] + java: [11, 17, 21] + scala: [2.13.x, 3.x] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: coursier/cache-action@v6 - - uses: actions/setup-java@v3 + - uses: actions/setup-java@v4 with: - distribution: adopt + distribution: temurin java-version: ${{matrix.java}} - uses: actions/cache@v3 diff --git a/.gitignore b/.gitignore index 1a82448..53ee61f 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ dist /.project /RUNNING_PID /.settings +/.bsp diff --git a/README.md b/README.md index d88d21f..dc49049 100644 --- a/README.md +++ b/README.md @@ -39,4 +39,4 @@ Then go to http://localhost:9000. ## Scala versions -Cross-building to Scala 2.12 and 2.13 is supported. +Cross-building to Scala 2.13 and 3 is supported. diff --git a/app/controllers/HomeController.scala b/app/controllers/HomeController.scala index 2d0b6e7..48892d1 100644 --- a/app/controllers/HomeController.scala +++ b/app/controllers/HomeController.scala @@ -15,7 +15,7 @@ import scala.sys.process._ */ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(implicit ec: ExecutionContext) extends MessagesAbstractController(cc) { - def index = Action { implicit request => + def index: Action[AnyContent] = Action { implicit request => Ok(Html(s""" @@ -41,7 +41,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection & XSS directly from directly called query parameter */ - def attackerQuerySimple = Action { implicit request => + def attackerQuerySimple: Action[AnyContent] = Action { implicit request => val address = request.getQueryString("address") // [RuleTest] Command Injection @@ -56,14 +56,15 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection & XSS directly from directly called query parameter */ - def attackerQueryPatternMatching = Action { implicit request => + def attackerQueryPatternMatching: Action[AnyContent] = Action { implicit request => val addressRE= "(.*):(\\d+)".r val address = request.cookies.get("address").get.value address match { - // [RuleTest] Command Injection + // [RuleTest] Command Injection case addressRE(address, port) => s"ping ${address}".! + case _ => } // [RuleTest] Cross-Site Scripting: Reflected Ok(Html(s"Host ${address} pinged")) as HTML @@ -72,7 +73,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS directly from directly called query parameter */ - def attackerQuery = Action { implicit request => + def attackerQuery: Action[AnyContent] = Action { implicit request => val result = request.getQueryString("attacker").map { command => // Render the command directly from query parameter, this is the obvious example @@ -87,21 +88,21 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through query string parsed by generated router from conf/routes file. */ - def attackerRouteControlledQuery(attacker: String) = Action { implicit request => + def attackerRouteControlledQuery(attacker: String): Action[AnyContent] = Action { implicit request => Ok(Html(attacker)) as HTML } /** * XSS through path binding parsed by generated router from conf/routes file. */ - def attackerRouteControlledPath(attacker: String) = Action { implicit request => + def attackerRouteControlledPath(attacker: String): Action[AnyContent] = Action { implicit request => Ok(Html(attacker)) as HTML } /** * XSS through attacker controlled info in cookie */ - def attackerCookie = Action { implicit request => + def attackerCookie: Action[AnyContent] = Action { implicit request => // User cookies have no message authentication by default, so an attacker can pass in a cookie val result = request.cookies.get("attacker").map { attackerCookie => // Render the command @@ -114,7 +115,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through attacker controlled header */ - def attackerHeader = Action { implicit request => + def attackerHeader: Action[AnyContent] = Action { implicit request => // Request headers are also unvalidated by default. // The usual example is pulling the Location header to do an unsafe redirect val result = request.headers.get("Attacker").map { command => @@ -128,7 +129,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Unbound redirect through Header */ - def attackerOpenRedirect = Action { implicit request => + def attackerOpenRedirect: Action[AnyContent] = Action { implicit request => request.headers.get("Location") match { case Some(attackerLocation) => // Also see https://github.com/playframework/playframework/issues/6450 @@ -142,7 +143,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through URL encoded form input. */ - def attackerFormInput = Action { implicit request => + def attackerFormInput: Action[AnyContent] = Action { implicit request => val boundForm = FormData.form.bindFromRequest() boundForm.fold(badData => BadRequest("Bad form binding"), userData => { // Render the attacker command as HTML @@ -154,7 +155,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS through attacker controlled flash cookie. */ - def attackerFlash = Action { implicit request => + def attackerFlash: Action[AnyContent] = Action { implicit request => // Flash is usually handled with // Redirect(routes.HomeController.attackerFlash()).flashing("info" -> "Some text") // but if the user puts HTML in it and then renders it, @@ -170,14 +171,14 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i } // Render a boring form - def constraintForm = Action { implicit request => + def constraintForm: Action[AnyContent] = Action { implicit request => Ok(views.html.index(FormData.customForm)) } /** * XSS through custom constraint with user input */ - def attackerConstraintForm = Action { implicit request => + def attackerConstraintForm: Action[AnyContent] = Action { implicit request => // Bind a form that uses the i18n messages api, but the user input is reflected in the error message // Play takes a raw string here and escapes everything, but it may be possible to escape this... @@ -196,7 +197,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * XSS involving Twirl template */ - def twirlXSS = Action { implicit request => + def twirlXSS = Action { implicit request: MessagesRequest[AnyContent] => request.getQueryString("xss").map { payload => Ok(views.html.xss(payload)) }.getOrElse(Ok("Missing xss param")) @@ -205,7 +206,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * SSRF attacks done with Play WS */ - def attackerSSRF = Action.async { implicit request => + def attackerSSRF: Action[AnyContent] = Action.async { implicit request => // Play WS does not have a whitelist of valid URLs, so if you're calling it // directly with user input, you're open to SSRF. The best thing to do is // to place WS access in a wrapper, i.e. @@ -222,7 +223,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i /** * Command injection with custom body parser */ - def attackerCustomBodyParser = Action(bodyParser = BodyParser { header: RequestHeader => + def attackerCustomBodyParser: Action[Foo] = Action(bodyParser = BodyParser { (header: RequestHeader) => { // request header is a request without a body // http://localhost:9000/attackerCustomBodyParser?address=/etc/passwd val result = header.getQueryString("filename").map { filename => @@ -231,7 +232,7 @@ class HomeController @Inject()(ws: WSClient, cc: MessagesControllerComponents)(i }.getOrElse("No filename found!") Accumulator.done(Right(Foo(bar = result))) - }) { implicit request: Request[Foo] => + }}) { implicit request: Request[Foo] => val foo: Foo = request.body Ok(foo.bar) } @@ -313,4 +314,7 @@ object FormData { case class UserData(name: String, age:Int) + object UserData { + def unapply(u: UserData): Option[(String, Int)] = Some((u.name, u.age)) + } } diff --git a/build.sbt b/build.sbt index ba53a0f..1787870 100644 --- a/build.sbt +++ b/build.sbt @@ -3,12 +3,15 @@ lazy val `play-webgoat` = (project in file(".")).enablePlugins(PlayScala) name := "play-webgoat" version := "1.0" -crossScalaVersions := Seq("2.13.12", "2.12.18") +crossScalaVersions := Seq("2.13.12", "3.3.1") scalaVersion := crossScalaVersions.value.head // tc-skip libraryDependencies ++= Seq(guice, ws) scalacOptions ++= Seq( - "-feature", "-unchecked", "-deprecation", "-Xfatal-warnings", - // "unused" is too fragile w/ Twirl, routes file - "-Xlint:-unused" + // "-unchecked", "-deprecation" // Set by Play already + "-feature", "-Werror", ) +scalacOptions ++= (CrossVersion.partialVersion(scalaVersion.value) match { + case Some((2, _)) => Seq("-Xlint:-unused,_") + case _ => Seq() +}) diff --git a/conf/logback.xml b/conf/logback.xml index 31480f3..67c12f7 100644 --- a/conf/logback.xml +++ b/conf/logback.xml @@ -1,17 +1,24 @@ + + + Copyright (C) from 2022 The Play Framework Contributors , 2011-2021 Lightbend Inc. +--> + + + + + - - + + %highlight(%-5level) %logger{15} - %message%n%xException{10} - + diff --git a/fortify.sbt b/fortify.sbt index 4b0587f..d1d908b 100644 --- a/fortify.sbt +++ b/fortify.sbt @@ -1,6 +1,6 @@ // enable the plugin addCompilerPlugin( - "com.lightbend" %% "scala-fortify" % "1.0.25" + "com.lightbend" %% "scala-fortify" % "1.1.0-RC1" cross CrossVersion.patch) // configure the plugin diff --git a/project/plugins.sbt b/project/plugins.sbt index da36c0f..7e45f85 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,8 +2,4 @@ scalacOptions ++= Seq( "-feature", "-unchecked", "-deprecation", "-Xlint:-unused", "-Xfatal-warnings") -ThisBuild / libraryDependencySchemes ++= Seq( - "org.scala-lang.modules" %% "scala-xml" % VersionScheme.Always -) - -addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.8.19") +addSbtPlugin("com.typesafe.play" % "sbt-plugin" % "2.9.0") diff --git a/vulnerabilities-2.12.x.txt b/vulnerabilities-2.12.x.txt deleted file mode 100644 index e677709..0000000 --- a/vulnerabilities-2.12.x.txt +++ /dev/null @@ -1,179 +0,0 @@ -[70987AD0CCC4270469DECB9E338D8C9E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(53) : ->Result.as(this) - app/controllers/HomeController.scala(53) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(50) : <=> (html) - app/controllers/HomeController.scala(50) : <->Html.apply(0->return) - app/controllers/HomeController.scala(50) : <->Object.toString(this->return) - app/controllers/HomeController.scala(45) : <=> (address) - app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) - -[33128A11344ABDEF50E2F7D8D7146DB1 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(69) : ->Result.as(this) - app/controllers/HomeController.scala(69) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(69) : <->Html.apply(0->return) - app/controllers/HomeController.scala(62) : <=> (address) - app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(62) : <->Option.get(this->return) - app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) - -[5B7D0DB4D614ADB01C888ABFA9BED320 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(84) : ->Result.as(this) - app/controllers/HomeController.scala(77) : <=> (result) - app/controllers/HomeController.scala(77) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(81) : return - app/controllers/HomeController.scala(81) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(81) : <->Html.apply(0->return) - app/controllers/HomeController.scala(77) : <->controllers.HomeController$anonfun$attackerQuery$2.apply(0->return) - app/controllers/HomeController.scala(77) : <- RequestHeader.getQueryString(return) - -[B09BD522BAB03D03138116E5C24A332E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(91) : ->Result.as(this) - app/controllers/HomeController.scala(91) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(91) : <->Html.apply(0->return) - app/controllers/HomeController.scala(90) : ->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.apply(this) - app/controllers/HomeController.scala(90) : <=> (this) - app/controllers/HomeController.scala(90) : <->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.innerinit^(0->this) - app/controllers/HomeController.scala(90) : ->HomeController.attackerRouteControlledQuery(0) - -[76157C51B8F7E2674323F2BBE0459F81 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(98) : ->Result.as(this) - app/controllers/HomeController.scala(98) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(98) : <->Html.apply(0->return) - app/controllers/HomeController.scala(97) : ->controllers.HomeController$anonfun$attackerRouteControlledPath$1.apply(this) - app/controllers/HomeController.scala(97) : <=> (this) - app/controllers/HomeController.scala(97) : <->controllers.HomeController$anonfun$attackerRouteControlledPath$1.innerinit^(0->this) - app/controllers/HomeController.scala(97) : ->HomeController.attackerRouteControlledPath(0) - -[8EE69802E6FCE8A1A4739050180C0BBC : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(111) : ->Result.as(this) - app/controllers/HomeController.scala(106) : <=> (result) - app/controllers/HomeController.scala(106) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(108) : return - app/controllers/HomeController.scala(108) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(108) : <->Html.apply(0->return) - app/controllers/HomeController.scala(108) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(106) : <->controllers.HomeController$anonfun$attackerCookie$2.apply(0->return) - app/controllers/HomeController.scala(106) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(106) : <- RequestHeader.cookies(return) - -[7BB2A2B92BB725FFAE8CC580EC07547E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(125) : ->Result.as(this) - app/controllers/HomeController.scala(120) : <=> (result) - app/controllers/HomeController.scala(120) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(122) : return - app/controllers/HomeController.scala(122) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(120) : <->controllers.HomeController$anonfun$attackerHeader$2.apply(0->return) - app/controllers/HomeController.scala(120) : <->Headers.get(this->return) - app/controllers/HomeController.scala(120) : <- WrappedRequest.headers(return) - -[39721F0AF3B5131A3B3035F9317C4CD9 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(150) : ->Result.as(this) - app/controllers/HomeController.scala(150) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(150) : <->Html.apply(0->return) - app/controllers/HomeController.scala(149) : <=> (command) - app/controllers/HomeController.scala(315) : return (this.name) - app/controllers/HomeController.scala(149) : <->FormData$UserData.name(this.name->return) - app/controllers/HomeController.scala(147) : ->controllers.HomeController$anonfun$attackerFormInput$3.apply(0.name) - app/controllers/HomeController.scala(146) : <=> (boundForm) - app/controllers/HomeController.scala(146) : <- Form.bindFromRequest(return) - -[E6CC52318B0B2200473A13FE2F3944AE : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(169) : ->Result.as(this) - app/controllers/HomeController.scala(164) : <=> (result) - app/controllers/HomeController.scala(164) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(166) : return - app/controllers/HomeController.scala(166) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(166) : <->Html.apply(0->return) - app/controllers/HomeController.scala(164) : <->controllers.HomeController$anonfun$attackerFlash$2.apply(0->return) - app/controllers/HomeController.scala(164) : <->Flash.get(this->return) - app/controllers/HomeController.scala(164) : <- RequestHeader.flash(return) - -[8D691E21A8DD2904FFB9D9C86B76D022 : high : Server-Side Request Forgery : dataflow ] -app/controllers/HomeController.scala(216) : ->WSClient.url(0) - app/controllers/HomeController.scala(214) : <=> (attackerUrl) - app/controllers/HomeController.scala(214) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(214) : <->AnyContent.asText(this->return) - app/controllers/HomeController.scala(214) : <- WrappedRequest.body(return) - -[2D3C1DE38D160DC1111779E2B1CB792A : critical : Open Redirect : dataflow ] -app/controllers/HomeController.scala(135) : ->Results.Redirect(0) - app/controllers/HomeController.scala(133) : <=> (attackerLocation) - app/controllers/HomeController.scala(133) : <->Some.value(this->return) - app/controllers/HomeController.scala(132) : <->Headers.get(this->return) - app/controllers/HomeController.scala(132) : <- WrappedRequest.headers(return) - -[6D5A6D191A67348160822F3A70E73B41 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(48) : ->ProcessBuilder.!(this) - app/controllers/HomeController.scala(48) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(48) : <->Object.toString(this->return) - app/controllers/HomeController.scala(45) : <=> (address) - app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) - -[E054AE8B29DE1B03994CE9E180806D14 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(66) : ->ProcessBuilder.!(this) - app/controllers/HomeController.scala(66) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(66) : <=> (address~1) - app/controllers/HomeController.scala(66) : <->LinearSeqOptimized.apply(this->return) - app/controllers/HomeController.scala(66) : <->Option.get(this->return) - app/controllers/HomeController.scala(66) : <->Regex.unapplySeq(0->return) - app/controllers/HomeController.scala(62) : <=> (address) - app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(62) : <->Option.get(this->return) - app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) - -[7539909C6B48052B774D20F0F9D4B833 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(230) : ->ProcessBuilder.!!(this) - app/controllers/HomeController.scala(230) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(228) : ->controllers.HomeController$anonfun$attackerCustomBodyParser$2.apply(0) - app/controllers/HomeController.scala(228) : <- RequestHeader.getQueryString(return) - -[7AA03F985E923884F14D7CCCEBCAFC97 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/views/xss.scala.html(3) : ->BaseScalaTemplate._display_(0) - app/views/xss.scala.html(3) : <->Html.apply(0->return) - app/controllers/HomeController.scala(201) : ->xss.apply(0) - app/controllers/HomeController.scala(202) : ->controllers.HomeController$anonfun$twirlXSS$2.apply(0) - app/controllers/HomeController.scala(202) : <- RequestHeader.getQueryString(return) - -[7D28392534D22625D25CE2901CD24E92 : critical : Password Management : Hardcoded Password : configuration ] - Fortify/Fortify_SCA_23.1.1/Core/go/src/net/http/request.go(954) - -[16E724BE48E9A475B158F8B7BB09E34B : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(108) - -[7D60AB57B5E6F97588B47E1727BBDF01 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(110) - -[CD014C42A1C713E32626350CE46374E1 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(210) - -[FFC84141D7968A38A4E2DD0AE4D63023 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(222) - -[EB2255E14A58F1EA53655CCF5E4A9331 : low : Password Management : Password in Comment : configuration ] - Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(226) - -[A6529A7EBCDA4CEA93D49376FA2E103A : low : Code Correctness : Non-Static Inner Class Implements Serializable : structural ] - app/controllers/HomeController.scala(239) - -[A054B8CF843466C9C08F7C31A431AF62 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) - -[B2934DA20E3AD7BB839D019DDB7EF610 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) - -[3123D430AEB62E4FF2BB7F6A775DE9F4 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) - -[EF0E143E15EB85C0226B44014A79E298 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) - -[3F112D268BC9CC49AEA7DD1B65D2543E : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) - -[1D7A640F7D4C395E44AE1B510CA5FA05 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(284) - -[00132A9E4889966ADB911CACDED783FE : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) diff --git a/vulnerabilities-2.13.x.txt b/vulnerabilities-2.13.x.txt index 29f094c..5343af4 100644 --- a/vulnerabilities-2.13.x.txt +++ b/vulnerabilities-2.13.x.txt @@ -8,9 +8,9 @@ app/controllers/HomeController.scala(53) : ->Result.as(this) app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) [33128A11344ABDEF50E2F7D8D7146DB1 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(69) : ->Result.as(this) - app/controllers/HomeController.scala(69) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(69) : <->Html.apply(0->return) +app/controllers/HomeController.scala(70) : ->Result.as(this) + app/controllers/HomeController.scala(70) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(70) : <->Html.apply(0->return) app/controllers/HomeController.scala(62) : <=> (address) app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) app/controllers/HomeController.scala(62) : <->Option.get(this->return) @@ -18,90 +18,90 @@ app/controllers/HomeController.scala(69) : ->Result.as(this) app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) [5B7D0DB4D614ADB01C888ABFA9BED320 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(84) : ->Result.as(this) - app/controllers/HomeController.scala(77) : <=> (result) - app/controllers/HomeController.scala(77) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(81) : return - app/controllers/HomeController.scala(81) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(81) : <->Html.apply(0->return) - app/controllers/HomeController.scala(77) : <->controllers.HomeController$anonfun$attackerQuery$2.apply(0->return) - app/controllers/HomeController.scala(77) : <- RequestHeader.getQueryString(return) +app/controllers/HomeController.scala(85) : ->Result.as(this) + app/controllers/HomeController.scala(78) : <=> (result) + app/controllers/HomeController.scala(78) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(82) : return + app/controllers/HomeController.scala(82) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(82) : <->Html.apply(0->return) + app/controllers/HomeController.scala(78) : <->controllers.HomeController$anonfun$attackerQuery$2.apply(0->return) + app/controllers/HomeController.scala(78) : <- RequestHeader.getQueryString(return) [B09BD522BAB03D03138116E5C24A332E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(91) : ->Result.as(this) - app/controllers/HomeController.scala(91) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(91) : <->Html.apply(0->return) - app/controllers/HomeController.scala(90) : ->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.apply(this) - app/controllers/HomeController.scala(90) : <=> (this) - app/controllers/HomeController.scala(90) : <->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.innerinit^(0->this) - app/controllers/HomeController.scala(90) : ->HomeController.attackerRouteControlledQuery(0) +app/controllers/HomeController.scala(92) : ->Result.as(this) + app/controllers/HomeController.scala(92) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(92) : <->Html.apply(0->return) + app/controllers/HomeController.scala(91) : ->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.apply(this) + app/controllers/HomeController.scala(91) : <=> (this) + app/controllers/HomeController.scala(91) : <->controllers.HomeController$anonfun$attackerRouteControlledQuery$1.innerinit^(0->this) + app/controllers/HomeController.scala(91) : ->HomeController.attackerRouteControlledQuery(0) [76157C51B8F7E2674323F2BBE0459F81 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(98) : ->Result.as(this) - app/controllers/HomeController.scala(98) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(98) : <->Html.apply(0->return) - app/controllers/HomeController.scala(97) : ->controllers.HomeController$anonfun$attackerRouteControlledPath$1.apply(this) - app/controllers/HomeController.scala(97) : <=> (this) - app/controllers/HomeController.scala(97) : <->controllers.HomeController$anonfun$attackerRouteControlledPath$1.innerinit^(0->this) - app/controllers/HomeController.scala(97) : ->HomeController.attackerRouteControlledPath(0) +app/controllers/HomeController.scala(99) : ->Result.as(this) + app/controllers/HomeController.scala(99) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(99) : <->Html.apply(0->return) + app/controllers/HomeController.scala(98) : ->controllers.HomeController$anonfun$attackerRouteControlledPath$1.apply(this) + app/controllers/HomeController.scala(98) : <=> (this) + app/controllers/HomeController.scala(98) : <->controllers.HomeController$anonfun$attackerRouteControlledPath$1.innerinit^(0->this) + app/controllers/HomeController.scala(98) : ->HomeController.attackerRouteControlledPath(0) [8EE69802E6FCE8A1A4739050180C0BBC : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(111) : ->Result.as(this) - app/controllers/HomeController.scala(106) : <=> (result) - app/controllers/HomeController.scala(106) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(108) : return - app/controllers/HomeController.scala(108) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(108) : <->Html.apply(0->return) - app/controllers/HomeController.scala(108) : <->Cookie.value(this->return) - app/controllers/HomeController.scala(106) : <->controllers.HomeController$anonfun$attackerCookie$2.apply(0->return) - app/controllers/HomeController.scala(106) : <->Cookies.get(this->return) - app/controllers/HomeController.scala(106) : <- RequestHeader.cookies(return) +app/controllers/HomeController.scala(112) : ->Result.as(this) + app/controllers/HomeController.scala(107) : <=> (result) + app/controllers/HomeController.scala(107) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(109) : return + app/controllers/HomeController.scala(109) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(109) : <->Html.apply(0->return) + app/controllers/HomeController.scala(109) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(107) : <->controllers.HomeController$anonfun$attackerCookie$2.apply(0->return) + app/controllers/HomeController.scala(107) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(107) : <- RequestHeader.cookies(return) [7BB2A2B92BB725FFAE8CC580EC07547E : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(125) : ->Result.as(this) - app/controllers/HomeController.scala(120) : <=> (result) - app/controllers/HomeController.scala(120) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(122) : return - app/controllers/HomeController.scala(122) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(120) : <->controllers.HomeController$anonfun$attackerHeader$2.apply(0->return) - app/controllers/HomeController.scala(120) : <->Headers.get(this->return) - app/controllers/HomeController.scala(120) : <- WrappedRequest.headers(return) +app/controllers/HomeController.scala(126) : ->Result.as(this) + app/controllers/HomeController.scala(121) : <=> (result) + app/controllers/HomeController.scala(121) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(123) : return + app/controllers/HomeController.scala(123) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(121) : <->controllers.HomeController$anonfun$attackerHeader$2.apply(0->return) + app/controllers/HomeController.scala(121) : <->Headers.get(this->return) + app/controllers/HomeController.scala(121) : <- WrappedRequest.headers(return) [39721F0AF3B5131A3B3035F9317C4CD9 : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(150) : ->Result.as(this) - app/controllers/HomeController.scala(150) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(150) : <->Html.apply(0->return) - app/controllers/HomeController.scala(149) : <=> (command) - app/controllers/HomeController.scala(315) : return (this.name) - app/controllers/HomeController.scala(149) : <->FormData$UserData.name(this.name->return) - app/controllers/HomeController.scala(147) : ->controllers.HomeController$anonfun$attackerFormInput$3.apply(0.name) - app/controllers/HomeController.scala(146) : <=> (boundForm) - app/controllers/HomeController.scala(146) : <- Form.bindFromRequest(return) +app/controllers/HomeController.scala(151) : ->Result.as(this) + app/controllers/HomeController.scala(151) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(151) : <->Html.apply(0->return) + app/controllers/HomeController.scala(150) : <=> (command) + app/controllers/HomeController.scala(316) : return (this.name) + app/controllers/HomeController.scala(150) : <->FormData$UserData.name(this.name->return) + app/controllers/HomeController.scala(148) : ->controllers.HomeController$anonfun$attackerFormInput$3.apply(0.name) + app/controllers/HomeController.scala(147) : <=> (boundForm) + app/controllers/HomeController.scala(147) : <- Form.bindFromRequest(return) [E6CC52318B0B2200473A13FE2F3944AE : critical : Cross-Site Scripting : Reflected : dataflow ] -app/controllers/HomeController.scala(169) : ->Result.as(this) - app/controllers/HomeController.scala(164) : <=> (result) - app/controllers/HomeController.scala(164) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(166) : return - app/controllers/HomeController.scala(166) : <->Results$Status.apply(0->return) - app/controllers/HomeController.scala(166) : <->Html.apply(0->return) - app/controllers/HomeController.scala(164) : <->controllers.HomeController$anonfun$attackerFlash$2.apply(0->return) - app/controllers/HomeController.scala(164) : <->Flash.get(this->return) - app/controllers/HomeController.scala(164) : <- RequestHeader.flash(return) +app/controllers/HomeController.scala(170) : ->Result.as(this) + app/controllers/HomeController.scala(165) : <=> (result) + app/controllers/HomeController.scala(165) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(167) : return + app/controllers/HomeController.scala(167) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(167) : <->Html.apply(0->return) + app/controllers/HomeController.scala(165) : <->controllers.HomeController$anonfun$attackerFlash$2.apply(0->return) + app/controllers/HomeController.scala(165) : <->Flash.get(this->return) + app/controllers/HomeController.scala(165) : <- RequestHeader.flash(return) [8D691E21A8DD2904FFB9D9C86B76D022 : high : Server-Side Request Forgery : dataflow ] -app/controllers/HomeController.scala(216) : ->WSClient.url(0) - app/controllers/HomeController.scala(214) : <=> (attackerUrl) - app/controllers/HomeController.scala(214) : <->Option.getOrElse(this->return) - app/controllers/HomeController.scala(214) : <->AnyContent.asText(this->return) - app/controllers/HomeController.scala(214) : <- WrappedRequest.body(return) +app/controllers/HomeController.scala(217) : ->WSClient.url(0) + app/controllers/HomeController.scala(215) : <=> (attackerUrl) + app/controllers/HomeController.scala(215) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(215) : <->AnyContent.asText(this->return) + app/controllers/HomeController.scala(215) : <- WrappedRequest.body(return) [2D3C1DE38D160DC1111779E2B1CB792A : critical : Open Redirect : dataflow ] -app/controllers/HomeController.scala(135) : ->Results.Redirect(0) - app/controllers/HomeController.scala(133) : <=> (attackerLocation) - app/controllers/HomeController.scala(133) : <->Some.value(this->return) - app/controllers/HomeController.scala(132) : <->Headers.get(this->return) - app/controllers/HomeController.scala(132) : <- WrappedRequest.headers(return) +app/controllers/HomeController.scala(136) : ->Results.Redirect(0) + app/controllers/HomeController.scala(134) : <=> (attackerLocation) + app/controllers/HomeController.scala(134) : <->Some.value(this->return) + app/controllers/HomeController.scala(133) : <->Headers.get(this->return) + app/controllers/HomeController.scala(133) : <- WrappedRequest.headers(return) [6D5A6D191A67348160822F3A70E73B41 : critical : Command Injection : dataflow ] app/controllers/HomeController.scala(48) : ->ProcessBuilder.!(this) @@ -124,17 +124,17 @@ app/controllers/HomeController.scala(66) : ->ProcessBuilder.!(this) app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) [7539909C6B48052B774D20F0F9D4B833 : critical : Command Injection : dataflow ] -app/controllers/HomeController.scala(230) : ->ProcessBuilder.!!(this) - app/controllers/HomeController.scala(230) : <->ProcessImplicits.stringToProcess(0->return) - app/controllers/HomeController.scala(228) : ->controllers.HomeController$anonfun$attackerCustomBodyParser$2.apply(0) - app/controllers/HomeController.scala(228) : <- RequestHeader.getQueryString(return) +app/controllers/HomeController.scala(231) : ->ProcessBuilder.!!(this) + app/controllers/HomeController.scala(231) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(229) : ->controllers.HomeController$anonfun$attackerCustomBodyParser$2.apply(0) + app/controllers/HomeController.scala(229) : <- RequestHeader.getQueryString(return) [7AA03F985E923884F14D7CCCEBCAFC97 : critical : Cross-Site Scripting : Reflected : dataflow ] app/views/xss.scala.html(3) : ->BaseScalaTemplate._display_(0) app/views/xss.scala.html(3) : <->Html.apply(0->return) - app/controllers/HomeController.scala(201) : ->xss.apply(0) - app/controllers/HomeController.scala(202) : ->controllers.HomeController$anonfun$twirlXSS$2.apply(0) - app/controllers/HomeController.scala(202) : <- RequestHeader.getQueryString(return) + app/controllers/HomeController.scala(202) : ->xss.apply(0) + app/controllers/HomeController.scala(203) : ->controllers.HomeController$anonfun$twirlXSS$2.apply(0) + app/controllers/HomeController.scala(203) : <- RequestHeader.getQueryString(return) [7D28392534D22625D25CE2901CD24E92 : critical : Password Management : Hardcoded Password : configuration ] Fortify/Fortify_SCA_23.1.1/Core/go/src/net/http/request.go(954) @@ -155,25 +155,25 @@ app/views/xss.scala.html(3) : ->BaseScalaTemplate._display_(0) Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(226) [A6529A7EBCDA4CEA93D49376FA2E103A : low : Code Correctness : Non-Static Inner Class Implements Serializable : structural ] - app/controllers/HomeController.scala(239) + app/controllers/HomeController.scala(240) [A054B8CF843466C9C08F7C31A431AF62 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [B2934DA20E3AD7BB839D019DDB7EF610 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [3123D430AEB62E4FF2BB7F6A775DE9F4 : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [EF0E143E15EB85C0226B44014A79E298 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(277) + app/controllers/HomeController.scala(278) [3F112D268BC9CC49AEA7DD1B65D2543E : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) + app/controllers/HomeController.scala(285) [1D7A640F7D4C395E44AE1B510CA5FA05 : low : Missing Form Field Validation : structural ] - app/controllers/HomeController.scala(284) + app/controllers/HomeController.scala(285) [00132A9E4889966ADB911CACDED783FE : low : Missing Form Field Constraints : structural ] - app/controllers/HomeController.scala(284) + app/controllers/HomeController.scala(285) diff --git a/vulnerabilities-3.x.txt b/vulnerabilities-3.x.txt new file mode 100644 index 0000000..cdc12f7 --- /dev/null +++ b/vulnerabilities-3.x.txt @@ -0,0 +1,188 @@ +[C3F0AF7EE2817C0570D9C65E755D2FAD : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(53) : ->Result.as(this) + app/controllers/HomeController.scala(53) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(50) : <=> (html) + app/controllers/HomeController.scala(50) : <->Html.apply(0->return) + app/controllers/HomeController.scala(50) : <->Object.toString(this->return) + app/controllers/HomeController.scala(45) : <=> (address) + app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) + +[044F951511B13BA782BA2F1196405D07 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(70) : ->Result.as(this) + app/controllers/HomeController.scala(70) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(70) : <->Html.apply(0->return) + app/controllers/HomeController.scala(62) : <=> (address) + app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(62) : <->Option.get(this->return) + app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) + +[16812E772A81725CEBB9EB41749B515C : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(85) : ->Result.as(this) + app/controllers/HomeController.scala(78) : <=> (result) + app/controllers/HomeController.scala(78) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(82) : return + app/controllers/HomeController.scala(82) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(82) : <->Html.apply(0->return) + app/controllers/HomeController.scala(78) : <->controllers.HomeController$anonfun$1.apply(0->return) + app/controllers/HomeController.scala(78) : <- RequestHeader.getQueryString(return) + +[B09BD522BAB03D03138116E5C24A332E : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(92) : ->Result.as(this) + app/controllers/HomeController.scala(92) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(92) : <->Html.apply(0->return) + app/controllers/HomeController.scala(91) : ->controllers.HomeControllerattackerRouteControlledQuery$$anonfun$1.apply(this) + app/controllers/HomeController.scala(91) : <=> (this) + app/controllers/HomeController.scala(92) : <->controllers.HomeControllerattackerRouteControlledQuery$$anonfun$1.innerinit^(0->this) + app/controllers/HomeController.scala(91) : ->HomeController.attackerRouteControlledQuery(0) + +[76157C51B8F7E2674323F2BBE0459F81 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(99) : ->Result.as(this) + app/controllers/HomeController.scala(99) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(99) : <->Html.apply(0->return) + app/controllers/HomeController.scala(98) : ->controllers.HomeControllerattackerRouteControlledPath$$anonfun$1.apply(this) + app/controllers/HomeController.scala(98) : <=> (this) + app/controllers/HomeController.scala(99) : <->controllers.HomeControllerattackerRouteControlledPath$$anonfun$1.innerinit^(0->this) + app/controllers/HomeController.scala(98) : ->HomeController.attackerRouteControlledPath(0) + +[3795138EC238E0F49E5A94291F0D4EB8 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(112) : ->Result.as(this) + app/controllers/HomeController.scala(107) : <=> (result) + app/controllers/HomeController.scala(107) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(109) : return + app/controllers/HomeController.scala(109) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(109) : <->Html.apply(0->return) + app/controllers/HomeController.scala(109) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(107) : <->controllers.HomeController$anonfun$3.apply(0->return) + app/controllers/HomeController.scala(107) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(107) : <- RequestHeader.cookies(return) + +[96D3E7E2197C805881750C3DCE84914C : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(126) : ->Result.as(this) + app/controllers/HomeController.scala(121) : <=> (result) + app/controllers/HomeController.scala(121) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(123) : return + app/controllers/HomeController.scala(123) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(121) : <->controllers.HomeController$anonfun$5.apply(0->return) + app/controllers/HomeController.scala(121) : <->Headers.get(this->return) + app/controllers/HomeController.scala(121) : <- WrappedRequest.headers(return) + +[6475C00D5E47A96AF3E75435BFDDBD1E : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(151) : ->Result.as(this) + app/controllers/HomeController.scala(151) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(151) : <->Html.apply(0->return) + app/controllers/HomeController.scala(150) : <=> (command) + app/controllers/HomeController.scala(316) : return (this.name) + app/controllers/HomeController.scala(150) : <->FormData$UserData.name(this.name->return) + app/controllers/HomeController.scala(148) : ->controllers.HomeControllerattackerFormInput$$anonfun$1$$anonfun$2.apply(0.name) + app/controllers/HomeController.scala(147) : <=> (boundForm) + app/controllers/HomeController.scala(147) : <- Form.bindFromRequest(return) + +[11FCDCF1B24839756EB1953B60CBC8B3 : critical : Cross-Site Scripting : Reflected : dataflow ] +app/controllers/HomeController.scala(170) : ->Result.as(this) + app/controllers/HomeController.scala(165) : <=> (result) + app/controllers/HomeController.scala(165) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(167) : return + app/controllers/HomeController.scala(167) : <->Results$Status.apply(0->return) + app/controllers/HomeController.scala(167) : <->Html.apply(0->return) + app/controllers/HomeController.scala(165) : <->controllers.HomeController$anonfun$7.apply(0->return) + app/controllers/HomeController.scala(165) : <->Flash.get(this->return) + app/controllers/HomeController.scala(165) : <- RequestHeader.flash(return) + +[4833799B0EBD7B1791F5342C096BDE6F : high : Server-Side Request Forgery : dataflow ] +app/controllers/HomeController.scala(217) : ->WSClient.url(0) + app/controllers/HomeController.scala(215) : <=> (attackerUrl) + app/controllers/HomeController.scala(215) : <->Option.getOrElse(this->return) + app/controllers/HomeController.scala(215) : <->AnyContent.asText(this->return) + app/controllers/HomeController.scala(215) : <- WrappedRequest.body(return) + +[B0560B4681BAD5206C25ED5D5AA6F441 : critical : Open Redirect : dataflow ] +app/controllers/HomeController.scala(136) : ->Results.Redirect(0) + app/controllers/HomeController.scala(134) : <=> (attackerLocation) + app/controllers/HomeController.scala(134) : <->Some.value(this->return) + app/controllers/HomeController.scala(133) : <->Headers.get(this->return) + app/controllers/HomeController.scala(133) : <- WrappedRequest.headers(return) + +[2F3B03C604BC09D5664BF65A1A886FAC : critical : Command Injection : dataflow ] +app/controllers/HomeController.scala(48) : ->ProcessBuilder.!(this) + app/controllers/HomeController.scala(48) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(48) : <->Object.toString(this->return) + app/controllers/HomeController.scala(45) : <=> (address) + app/controllers/HomeController.scala(45) : <- RequestHeader.getQueryString(return) + +[EE42804AE6EB1A66313E692165683019 : critical : Command Injection : dataflow ] +app/controllers/HomeController.scala(66) : ->ProcessBuilder.!(this) + app/controllers/HomeController.scala(66) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(66) : <=> (address~1) + app/controllers/HomeController.scala(66) : <->LinearSeqOps.apply(this->return) + app/controllers/HomeController.scala(66) : <->Option.get(this->return) + app/controllers/HomeController.scala(66) : <->Regex.unapplySeq(0->return) + app/controllers/HomeController.scala(62) : <=> (address) + app/controllers/HomeController.scala(62) : <->Cookie.value(this->return) + app/controllers/HomeController.scala(62) : <->Option.get(this->return) + app/controllers/HomeController.scala(62) : <->Cookies.get(this->return) + app/controllers/HomeController.scala(62) : <- RequestHeader.cookies(return) + +[B9DF91AACD4B21B618149964386E4129 : critical : Command Injection : dataflow ] +app/controllers/HomeController.scala(231) : ->ProcessBuilder.!!(this) + app/controllers/HomeController.scala(231) : <->ProcessImplicits.stringToProcess(0->return) + app/controllers/HomeController.scala(229) : ->controllers.HomeController$anonfun$10.apply(0) + app/controllers/HomeController.scala(229) : <- RequestHeader.getQueryString(return) + +[19934AF014F44D85C1841457D8ED6581 : critical : Cross-Site Scripting : Reflected : dataflow ] +target/scala-3.3.1/twirl/main/views/html/xss.template.scala(28) : ->BaseScalaTemplate._display_(0) + target/scala-3.3.1/twirl/main/views/html/xss.template.scala(28) : <->Html.apply(0->return) + app/controllers/HomeController.scala(202) : ->xss.apply(0) + app/controllers/HomeController.scala(201) : ->controllers.HomeControllertwirlXSS$$anonfun$1$$anonfun$1.apply(0) + app/controllers/HomeController.scala(201) : <- RequestHeader.getQueryString(return) + +[7D28392534D22625D25CE2901CD24E92 : critical : Password Management : Hardcoded Password : configuration ] + Fortify/Fortify_SCA_23.1.1/Core/go/src/net/http/request.go(954) + +[16E724BE48E9A475B158F8B7BB09E34B : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(108) + +[7D60AB57B5E6F97588B47E1727BBDF01 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(110) + +[CD014C42A1C713E32626350CE46374E1 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(210) + +[FFC84141D7968A38A4E2DD0AE4D63023 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(222) + +[EB2255E14A58F1EA53655CCF5E4A9331 : low : Password Management : Password in Comment : configuration ] + Fortify/Fortify_SCA_23.1.1/jre/conf/management/management.properties(226) + +[1810A9D7ABBD32A9C113C3F821AF3E2A : low : Poor Style : Value Never Read : structural ] + app/controllers/HomeController.scala(66) + Variable: port [app/controllers/HomeController.scala(66)] + +[A6529A7EBCDA4CEA93D49376FA2E103A : low : Code Correctness : Non-Static Inner Class Implements Serializable : structural ] + app/controllers/HomeController.scala(240) + +[A054B8CF843466C9C08F7C31A431AF62 : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(278) + +[B2934DA20E3AD7BB839D019DDB7EF610 : low : Missing Form Field Validation : structural ] + app/controllers/HomeController.scala(278) + +[3123D430AEB62E4FF2BB7F6A775DE9F4 : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(278) + +[EF0E143E15EB85C0226B44014A79E298 : low : Missing Form Field Validation : structural ] + app/controllers/HomeController.scala(278) + +[3F112D268BC9CC49AEA7DD1B65D2543E : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(285) + +[1D7A640F7D4C395E44AE1B510CA5FA05 : low : Missing Form Field Validation : structural ] + app/controllers/HomeController.scala(285) + +[00132A9E4889966ADB911CACDED783FE : low : Missing Form Field Constraints : structural ] + app/controllers/HomeController.scala(285) + +[C997F7BB94E70A739A5522B291E17A57 : low : Code Correctness : Constructor Invokes Overridable Function : structural ] + target/scala-3.3.1/routes/main/router/Routes.scala(37) + Function: router.Routes.Routes [target/scala-3.3.1/routes/main/router/Routes.scala(13)] + Function: router.Routes.prefix [target/scala-3.3.1/routes/main/router/Routes.scala(19)]