CheckMarx Code Scan of repository - Prototype Pollution issue

[adityagollakota]

Hi @jongpie ,

As part of our organisations usage of the unmanaged code, we had our Cyber team do an assessment of the package using CheckMarx.
Below is the outcome from the Cyber team:

"We have conducted a scan for code review and identified 1 High and 25 informational issues.
Could ask the developer responsible for the code to review the issues highlighted in the report and, confirm that the identified issues are valid and true positives."

Could someone please let me know if this is something that is of a concern or it can be ignored?
The High issue was around prototype pollution. I've attached the assessment outcome as well

NCA-NebulaLogger_scan.pdf

[jongpie]

Hi @adityagollakota so sorry for the very late response! I thought I had responded a few weeks ago, but I guess I never did 😞

Offhand, I don't see anything in the report that seems like an actual concern:

1. The 1 high issue for prototype pollution - this is done on the LogEntryEvent__e object, which are read-only objects in the LWC, so I don't think there's any harm in polluting the prototype.
2. The 25 informational issues - they seem to all be related to "Lightning Data Retrieval Without Wire Decorator". For the items it reported, I prefer to call the Apex classes imperatively (instead of using @wire) because it provides more control. I wouldn't consider this a security concern.

Hope this helps! Let me know if you need anything else.