/var/jenkins_home/workspace/Devops
Potential Path Traversal (file read)
java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input
At ImageAction.java:[lines 13-65]
In class com.archerysec.devsecops.actions.ImageAction
In method com.archerysec.devsecops.actions.ImageAction.getImageFile(String)
At ImageAction.java:[line 47]
Sink method java/io/File.<init>(Ljava/lang/String;)V
Sink parameter 0
Unknown source javax/servlet/ServletContext.getRealPath(Ljava/lang/String;)Ljava/lang/String;
Unknown source java/io/File.separator
At ImageAction.java:[line 28]
At ImageAction.java:[line 44]
At ImageAction.java:[line 46]
At ImageAction.java:[line 47]
Potential Path Traversal (file read)
java/io/File.<init>(Ljava/lang/String;Ljava/lang/String;)V reads a file whose location might be specified by user input
At ProductsAction.java:[lines 43-260]
In class com.archerysec.devsecops.actions.ProductsAction
In method com.archerysec.devsecops.actions.ProductsAction.fileupload(Products)
At ProductsAction.java:[line 107]
Sink method java/io/File.<init>(Ljava/lang/String;Ljava/lang/String;)V
Sink parameter 0
Unknown source com/archerysec/devsecops/actions/ProductsAction.mainFileName
At ProductsAction.java:[line 104]
XMLDecoder usage
It is not safe to use an XMLDecoder to parse user supplied data
At StudentAddApi.java:[lines 19-65]
In class com.archerysec.devsecops.actions.api.StudentAddApi
In method com.archerysec.devsecops.actions.api.StudentAddApi.execute()
At StudentAddApi.java:[line 32]
Potential XSS in Servlet
This use of java/io/PrintWriter.print(Ljava/lang/String;)V could be vulnerable to XSS
At StudentDetailsApi.java:[lines 29-104]
In class com.archerysec.devsecops.actions.api.StudentDetailsApi
In method com.archerysec.devsecops.actions.api.StudentDetailsApi.execute()
At StudentDetailsApi.java:[line 57]
Sink method java/io/PrintWriter.print(Ljava/lang/String;)V
Sink parameter 0
Unknown source com/archerysec/devsecops/actions/api/StudentDetailsApi.jaxbObjectToXML(Lcom/archerysec/devsecops/model/Student;)Ljava/lang/String;
At StudentDetailsApi.java:[line 55]
XML parsing vulnerable to XXE (DocumentBuilder)
The use of DocumentBuilder.parse(...) is vulnerable to XML External Entity attacks
At StudentDetailsApi.java:[lines 29-104]
In class com.archerysec.devsecops.actions.api.StudentDetailsApi
In method com.archerysec.devsecops.actions.api.StudentDetailsApi.execute()
At StudentDetailsApi.java:[line 45]
Value DocumentBuilder.parse(...)
Hard Coded Password
Hard coded password found
At StudentRepository.java:[lines 19-187]
In class com.archerysec.devsecops.respository.StudentRepository
In method com.archerysec.devsecops.respository.StudentRepository.fetchUserDetails(String)
At StudentRepository.java:[line 180]
Sink method com/archerysec/devsecops/model/Student.setPassword(Ljava/lang/String;)V
Sink parameter 0
Potential JDBC Injection
This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection
At StudentRepository.java:[lines 19-187]
In class com.archerysec.devsecops.respository.StudentRepository
In method com.archerysec.devsecops.respository.StudentRepository.findByLoginSQL(String, String)
At StudentRepository.java:[line 120]
Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet;
Sink parameter 0
Method usage not detected
At StudentRepository.java:[line 120]
At StudentService.java:[line 32]
Object deserialization is used in {1}
Object deserialization is used in com.archerysec.devsecops.util.SerializeObject.stringToObject(String)
At SerializeObject.java:[lines 16-74]
In class com.archerysec.devsecops.util.SerializeObject
In method com.archerysec.devsecops.util.SerializeObject.stringToObject(String)
At SerializeObject.java:[line 41]
Regex DOS (ReDOS)
The regular expression "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$" is vulnerable to a denial of service attack (ReDOS)
Value ^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$
At Validator.java:[lines 6-69]
In class com.archerysec.devsecops.util.Validator
In method com.archerysec.devsecops.util.Validator.validateEmail(String)
At Validator.java:[line 24]
Security