/var/jenkins_home/workspace/Devops Potential Path Traversal (file read) java/io/File.<init>(Ljava/lang/String;)V reads a file whose location might be specified by user input At ImageAction.java:[lines 13-65] In class com.archerysec.devsecops.actions.ImageAction In method com.archerysec.devsecops.actions.ImageAction.getImageFile(String) At ImageAction.java:[line 47] Sink method java/io/File.<init>(Ljava/lang/String;)V Sink parameter 0 Unknown source javax/servlet/ServletContext.getRealPath(Ljava/lang/String;)Ljava/lang/String; Unknown source java/io/File.separator At ImageAction.java:[line 28] At ImageAction.java:[line 44] At ImageAction.java:[line 46] At ImageAction.java:[line 47] Potential Path Traversal (file read) java/io/File.<init>(Ljava/lang/String;Ljava/lang/String;)V reads a file whose location might be specified by user input At ProductsAction.java:[lines 43-260] In class com.archerysec.devsecops.actions.ProductsAction In method com.archerysec.devsecops.actions.ProductsAction.fileupload(Products) At ProductsAction.java:[line 107] Sink method java/io/File.<init>(Ljava/lang/String;Ljava/lang/String;)V Sink parameter 0 Unknown source com/archerysec/devsecops/actions/ProductsAction.mainFileName At ProductsAction.java:[line 104] XMLDecoder usage It is not safe to use an XMLDecoder to parse user supplied data At StudentAddApi.java:[lines 19-65] In class com.archerysec.devsecops.actions.api.StudentAddApi In method com.archerysec.devsecops.actions.api.StudentAddApi.execute() At StudentAddApi.java:[line 32] Potential XSS in Servlet This use of java/io/PrintWriter.print(Ljava/lang/String;)V could be vulnerable to XSS At StudentDetailsApi.java:[lines 29-104] In class com.archerysec.devsecops.actions.api.StudentDetailsApi In method com.archerysec.devsecops.actions.api.StudentDetailsApi.execute() At StudentDetailsApi.java:[line 57] Sink method java/io/PrintWriter.print(Ljava/lang/String;)V Sink parameter 0 Unknown source com/archerysec/devsecops/actions/api/StudentDetailsApi.jaxbObjectToXML(Lcom/archerysec/devsecops/model/Student;)Ljava/lang/String; At StudentDetailsApi.java:[line 55] XML parsing vulnerable to XXE (DocumentBuilder) The use of DocumentBuilder.parse(...) is vulnerable to XML External Entity attacks At StudentDetailsApi.java:[lines 29-104] In class com.archerysec.devsecops.actions.api.StudentDetailsApi In method com.archerysec.devsecops.actions.api.StudentDetailsApi.execute() At StudentDetailsApi.java:[line 45] Value DocumentBuilder.parse(...) Hard Coded Password Hard coded password found At StudentRepository.java:[lines 19-187] In class com.archerysec.devsecops.respository.StudentRepository In method com.archerysec.devsecops.respository.StudentRepository.fetchUserDetails(String) At StudentRepository.java:[line 180] Sink method com/archerysec/devsecops/model/Student.setPassword(Ljava/lang/String;)V Sink parameter 0 Potential JDBC Injection This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection At StudentRepository.java:[lines 19-187] In class com.archerysec.devsecops.respository.StudentRepository In method com.archerysec.devsecops.respository.StudentRepository.findByLoginSQL(String, String) At StudentRepository.java:[line 120] Sink method java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; Sink parameter 0 Method usage not detected At StudentRepository.java:[line 120] At StudentService.java:[line 32] Object deserialization is used in {1} Object deserialization is used in com.archerysec.devsecops.util.SerializeObject.stringToObject(String) At SerializeObject.java:[lines 16-74] In class com.archerysec.devsecops.util.SerializeObject In method com.archerysec.devsecops.util.SerializeObject.stringToObject(String) At SerializeObject.java:[line 41] Regex DOS (ReDOS) The regular expression "^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$" is vulnerable to a denial of service attack (ReDOS) Value ^[_A-Za-z0-9-\\+]+(\\.[_A-Za-z0-9-]+)*@[A-Za-z0-9-]+(\\.[A-Za-z0-9]+)*(\\.[A-Za-z]{2,})$ At Validator.java:[lines 6-69] In class com.archerysec.devsecops.util.Validator In method com.archerysec.devsecops.util.Validator.validateEmail(String) At Validator.java:[line 24] Security