AutoFix PR by ongamse · Pull Request #59 · ongamse/QwietAI-java-demo

ongamse · 2025-01-03T15:03:45Z

Qwiet AI AutoFix

This PR was created automatically by the Qwiet AI AutoFix tool.
As long as it is open, subsequent scans and generated fixes to this same branch will be added to it as new commits.

Each commit fixes one vulnerability.

Some manual intervention might be required before merging this PR.

Project Information

Name: QwietAI-MultiLang
Branch: master
Pull Request Language: java

Fixes

For finding 14: "Insecure Direct Object Reference: Attacker-controlled Data Used Directly to Find Database Entry in AccountController.getAccount via accountId "
- On file src/main/java/io/shiftleft/controller/AccountController.java
For finding 2: "Remote Code Execution: Code Injection Through Attacker-controlled Data via foo in SearchController.doGetSearch"

…or finding 14

ongamse · 2025-01-03T15:06:30Z

██████╗ ██╗ ██╗██╗███████╗████████╗ █████╗ ██╗ ██╔═══██╗██║ ██║██║██╔════╝╚══██╔══╝ ██╔══██╗██║ ██║ ██║██║ █╗ ██║██║█████╗ ██║ ███████║██║ ██║▄▄ ██║██║███╗██║██║██╔══╝ ██║ ██╔══██║██║ ╚██████╔╝╚███╔███╔╝██║███████╗ ██║ ██║ ██║██║ ╚══▀▀═╝ ╚══╝╚══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ <span class="r1">Executive Summary</span> Bestfix from Qwiet AI analyzed scan #3 for the java app QwietAI-java-demo on 2024-09-18. 18 files were analyzed during this scan, and no critical or high vulnerabilities were found. 65 open-source dependencies were also identified in which 0 vulnerabilities were found. Use the information in this report to mitigate the open-source and custom code vulnerabilities and to improve the scan performance. Best OSS ╔═══════════════════ ║ Package ╟─────────────────── ║ org.springframework/spring-webmvc │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.yaml/snakeyaml │ ║ │ ║ │ ╟─────────────────── ║ org.springframework.data/spring-data-commons │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.springframework.boot/spring-boot-starter-web │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.springframework.boot/spring-boot │ ║ │ ║ │ ╟─────────────────── ║ org.springframework.boot/spring-boot-autoconfigure │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.springframework/spring-context │ ║ │ ╟─────────────────── ║ org.springframework/spring-beans │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.springframework/spring-web │ ║ │ ║ │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.springframework/spring-core │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ╟─────────────────── ║ org.springframework/spring-expression │ ║ │ ║ │ ╟─────────────────── ║ org.hsqldb/hsqldb │ ╟─────────────────── ║ org.hibernate/hibernate-validator │ ║ │ ║ │ ╟─────────────────── ║ org.hibernate/hibernate-core │ ║ │ ╟─────────────────── ║ org.codehaus.jackson/jackson-mapper-asl │ ║ │ ╟─────────────────── ║ org.apache.tomcat.embed/tomcat-embed-websocket │ ║ │ ║ │ ╟─────────────────── ║ org.apache.tomcat.embed/tomcat-embed-core │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ╟─────────────────── ║ dom4j/dom4j │ ║ │ ║ │ ╟─────────────────── ║ com.fasterxml.jackson.core/jackson-databind │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ║ │ ╟─────────────────── ║ ch.qos.logback/logback-core │ ║ │ ║ │ ║ │ ╟─────────────────── ║ ch.qos.logback/logback-classic │ ║ │ ║ │ ║ │ ╚═══════════════════ Fix Suggestions for QwietAI-java-demo ═════════════════════════════════╤═══════════╤════════════════╤══════════════════╤════════════════╗ │ Reachable │ Version │ CVE │ Fix Version(s) ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 4.3.6.RELEASE │ CVE-2024-38816 │ 5.3.18 ║ │ │ CVE-2022-22965 │ 5.2.20 ║ │ │ CVE-2018-15756 │ 5.1.1 ║ │ │ CVE-2018-1272 │ ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.17 │ CVE-2022-25857 │ 2.0 ║ │ │ CVE-2022-1471 │ 1.31 ║ │ │ CVE-2017-18640 │ 1.26 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.13.0.RELEASE │ CVE-2018-1274 │ 2.6.0 ║ │ │ CVE-2018-1273 │ 2.0.7 ║ │ │ CVE-2018-1259 │ 2.0.5.release ║ │ │ │ 1.13.12 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.5.1.RELEASE │ GMS-2022-560 │ 5.3.18 ║ │ │ CVE-2022-22965 │ 5.2.20 ║ │ │ │ 2.6.6 ║ │ │ │ 2.5.12 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.5.1.RELEASE │ CVE-2022-27772 │ 3.0.1.release ║ │ │ CVE-2017-8046 │ 2.6.9.release ║ │ │ │ 2.2.11.release ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.5.1.RELEASE │ CVE-2023-20883 │ 3.0.7 ║ │ │ │ 2.7.12 ║ │ │ │ 2.6.15 ║ │ │ │ 2.5.15 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 4.3.6.RELEASE │ CVE-2022-22968 │ 5.3.19 ║ │ │ │ 5.2.21 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 4.3.6.RELEASE │ GMS-2022-558 │ 5.3.20 ║ │ │ CVE-2022-22970 │ 5.3.18 ║ │ │ CVE-2022-22965 │ 5.2.22.release ║ │ │ │ 5.2.20 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 4.3.6.RELEASE │ CVE-2024-22262 │ 6.1.6 ║ │ │ CVE-2024-22259 │ 6.1.5 ║ │ │ CVE-2024-22243 │ 6.1.4 ║ │ │ CVE-2018-15756 │ 6.0.19 ║ │ │ CVE-2016-1000027 │ 6.0.18 ║ │ │ │ 5.3.34 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 4.3.6.RELEASE │ GMS-2022-559 │ 6.0.8 ║ │ │ CVE-2023-20863 │ 5.3.27 ║ │ │ CVE-2022-22970 │ 5.3.20 ║ │ │ CVE-2022-22968 │ 5.3.19 ║ │ │ CVE-2020-5421 │ 5.3.18 ║ │ │ CVE-2018-15756 │ 5.2.24.release ║ │ │ CVE-2018-1275 │ 5.2.22.release ║ │ │ CVE-2018-1272 │ 5.2.21 ║ │ │ CVE-2018-1270 │ ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 4.3.6.RELEASE │ CVE-2023-20863 │ 6.0.8 ║ │ │ │ 5.3.27 ║ │ │ │ 5.2.24.release ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 2.3.3 │ CVE-2022-41853 │ 2.7.1 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 5.3.4.Final │ CVE-2017-7536 │ 5.4.2.final ║ │ │ │ 5.3.6.final ║ │ │ │ 5.2.5.final ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 5.0.11.Final │ CVE-2020-25638 │ 5.4.24.final ║ │ │ │ 5.3.20.final ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.5.6 │ CVE-2019-10202 │ ║ │ │ CVE-2019-10172 │ ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 8.5.11 │ CVE-2023-46589 │ 10.1.16 ║ │ │ CVE-2020-13935 │ 9.0.83 ║ │ │ │ 9.0.36 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 8.5.11 │ CVE-2023-46589 │ 9.0.83 ║ │ │ CVE-2022-42252 │ 9.0.68 ║ │ │ CVE-2022-25762 │ 9.0.45 ║ │ │ CVE-2021-41079 │ 9.0.44 ║ │ │ CVE-2021-30639 │ 9.0.43 ║ │ │ CVE-2021-25329 │ 9.0.40 ║ │ │ CVE-2021-25122 │ 9.0.37 ║ │ │ CVE-2020-9484 │ 9.0.36 ║ │ │ CVE-2020-1938 │ 9.0.35 ║ │ │ CVE-2020-17527 │ 9.0.31 ║ │ │ CVE-2020-1745 │ 9.0.30 ║ │ │ CVE-2020-13935 │ 9.0.29 ║ │ │ CVE-2020-13934 │ 9.0.21 ║ │ │ CVE-2020-11996 │ 9.0.20 ║ │ │ CVE-2019-17563 │ 9.0.17 ║ │ │ CVE-2019-12418 │ 9.0.16 ║ │ │ CVE-2019-10072 │ 9.0.1 ║ │ │ CVE-2019-0232 │ 9.0.0.m21 ║ │ │ CVE-2019-0199 │ 9.0.0.m18 ║ │ │ CVE-2018-8034 │ 8.5.96 ║ │ │ CVE-2018-8014 │ 8.5.76 ║ │ │ CVE-2018-1336 │ 8.5.65 ║ │ │ CVE-2017-7675 │ 8.5.64 ║ │ │ CVE-2017-5664 │ 8.5.63 ║ │ │ CVE-2017-5651 │ 8.5.60 ║ │ │ CVE-2017-5650 │ 8.5.57 ║ │ │ CVE-2017-5648 │ 8.5.56 ║ │ │ CVE-2017-12617 │ ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.6.1 │ CVE-2020-10683 │ 2.1.3 ║ │ │ CVE-2018-1000632 │ 2.1.1 ║ │ │ │ 2.0.3 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 2.8.6 │ CVE-2022-42004 │ 2.13.4.1 ║ │ │ CVE-2022-42003 │ 2.13.4 ║ │ │ CVE-2021-20190 │ 2.12.7.1 ║ │ │ CVE-2020-9548 │ 2.12.6.1 ║ │ │ CVE-2020-9547 │ 2.12.2.1 ║ │ │ CVE-2020-8840 │ 2.10.5.1 ║ │ │ CVE-2020-36518 │ 2.9.10.8 ║ │ │ CVE-2020-36189 │ 2.9.10.7 ║ │ │ CVE-2020-36188 │ 2.9.10.6 ║ │ │ CVE-2020-36187 │ 2.9.10.4 ║ │ │ CVE-2020-36186 │ 2.9.10.3 ║ │ │ CVE-2020-36185 │ 2.9.10.2 ║ │ │ CVE-2020-36184 │ 2.9.10.1 ║ │ │ CVE-2020-36183 │ 2.9.10 ║ │ │ CVE-2020-36182 │ 2.9.9.2 ║ │ │ CVE-2020-36181 │ 2.9.9 ║ │ │ CVE-2020-36180 │ 2.9.8 ║ │ │ CVE-2020-36179 │ 2.9.7 ║ │ │ CVE-2020-35728 │ 2.9.6 ║ │ │ CVE-2020-35491 │ 2.9.5 ║ │ │ CVE-2020-35490 │ 2.9.4 ║ │ │ CVE-2020-25649 │ ║ │ │ CVE-2020-24750 │ ║ │ │ CVE-2020-24616 │ ║ │ │ CVE-2020-10673 │ ║ │ │ CVE-2020-10650 │ ║ │ │ CVE-2019-20330 │ ║ │ │ CVE-2019-17531 │ ║ │ │ CVE-2019-17267 │ ║ │ │ CVE-2019-16943 │ ║ │ │ CVE-2019-16942 │ ║ │ │ CVE-2019-16335 │ ║ │ │ CVE-2019-14892 │ ║ │ │ CVE-2019-14540 │ ║ │ │ CVE-2019-14439 │ ║ │ │ CVE-2019-14379 │ ║ │ │ CVE-2019-12086 │ ║ │ │ CVE-2018-7489 │ ║ │ │ CVE-2018-5968 │ ║ │ │ CVE-2018-19362 │ ║ │ │ CVE-2018-19361 │ ║ │ │ CVE-2018-19360 │ ║ │ │ CVE-2018-14721 │ ║ │ │ CVE-2018-14720 │ ║ │ │ CVE-2018-14719 │ ║ │ │ CVE-2018-14718 │ ║ │ │ CVE-2018-12023 │ ║ │ │ CVE-2018-12022 │ ║ │ │ CVE-2018-11307 │ ║ │ │ CVE-2017-7525 │ ║ │ │ CVE-2017-17485 │ ║ │ │ CVE-2017-15095 │ ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.1.9 │ CVE-2023-6378 │ 1.4.12 ║ │ │ CVE-2017-5929 │ 1.3.12 ║ │ │ │ 1.2.13 ║ │ │ │ 1.2.0 ║ ─────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ │ 1.1.9 │ CVE-2023-6378 │ 1.4.12 ║ │ │ CVE-2017-5929 │ 1.3.12 ║ │ │ │ 1.2.13 ║ │ │ │ 1.2.0 ║ ═════════════════════════════════╧═══════════╧════════════════╧══════════════════╧════════════════╝ ╭────────────────── Best Fix Suggestions for QwietAI-java-demo ───────────────────╮ │ No critical or high findings found to suggest best fixes for QwietAI-java-demo. │ ╰─────────────────────────────────────────────────────────────────────────────────╯

╭──────────────────────────────────────────────────────────────────────────────────────────────────── Scan Improvements for QwietAI-java-demo (java) ────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ │ │ • CLI: Pass the argument --tag branch=name to populate the branch name in the UI for this app. │ │ • CLI: Pass the argument --vcs-prefix-correction "*=src/main/java" to make the Source Code View work correctly in the UI. │ │ • APP: This is a small app with only 1439 lines of code. │ │ • TOKEN: Use a CI integration token to scan apps with Qwiet AI. Currently scanned with mgomes@qwiet.ai's personal access token. │ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

github-actions · 2025-01-03T15:07:02Z

Checking analysis of application `QwietAI-MultiLang` against 3 build rules.

Using sl version 0.9.2930 (5abf6e645c197c6b3ae966613424392ebf8b1ae6).

Checking findings on scan 2.

Results per rule:

Allow no critical findings: FAIL
(1 matched vulnerability; configured threshold is 0).

Finding:

ID	CVSS	Rating	Title
1_2	9.0	critical	Remote Code Execution: Code Injection Through Attacker-controlled Data via `foo` in `SearchController.doGetSearch`

Severity rating	Count
Critical	1
High	0
Medium	0
Low	0

Allow one OSS or container finding: FAIL
(411 matched vulnerabilities; configured threshold is 1).

First 15 findings:

ID	CVSS	Rating	CVE	Title
1_128	10.0	critical	CVE-2018-14721	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to…
1_335	10.0	critical	GMS-2022-558	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.
1_364	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
1_375	10.0	critical	GMS-2022-560	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.
1_44	9.8	critical	CVE-2017-5929	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderC…
2_47	9.8	critical	CVE-2019-10202	A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, …
2_10	9.0	critical	CVE-2021-30139	pkg:pkg/alpine/apk-tools@2.12.3-r0
2_15	9.0	critical	CVE-2021-36159	pkg:pkg/alpine/apk-tools@2.12.3-r0
2_60	9.0	critical	CVE-2022-28391	CVE-2022-28391 affecting package busybox for versions less than 1.36.1-3. A patched version of the package is available.
2_79	9.0	critical	CVE-2021-3711	In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this …
3_31	9.8	critical	CVE-2019-10202	A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, …
3_8	9.0	critical	CVE-2021-30139	pkg:pkg/alpine/apk-tools@2.12.3-r0
3_12	9.0	critical	CVE-2021-36159	pkg:pkg/alpine/apk-tools@2.12.3-r0
3_57	9.0	critical	CVE-2022-28391	CVE-2022-28391 affecting package busybox for versions less than 1.36.1-3. A patched version of the package is available.
3_75	9.0	critical	CVE-2021-3711	In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this …

Severity rating	Count
Critical	66
High	228
Medium	108
Low	9

Finding Type	Count
Oss_vuln	210
Container	201

Allow no reachable OSS vulnerability: FAIL
(53 matched vulnerabilities; configured threshold is 0).

First 5 findings:

ID	CVSS	Rating	CVE	Title
1_272	9.8	critical	CVE-2018-8014	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insec…
1_281	9.8	critical	CVE-2020-1938	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as ha…
1_284	9.8	critical	CVE-2017-5651	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing.…
1_271	9.1	critical	CVE-2017-5648	While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.R…
1_261	9.0	critical	CVE-2022-37434	zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applic…

Severity rating	Count
Critical	5
High	27
Medium	20
Low	1

Finding Type	Count
Oss_vuln	51
Container	2

3 rules failed.

…r finding 2

ongamse · 2025-01-03T20:20:34Z

██████╗ ██╗ ██╗██╗███████╗████████╗ █████╗ ██╗ ██╔═══██╗██║ ██║██║██╔════╝╚══██╔══╝ ██╔══██╗██║ ██║ ██║██║ █╗ ██║██║█████╗ ██║ ███████║██║ ██║▄▄ ██║██║███╗██║██║██╔══╝ ██║ ██╔══██║██║ ╚██████╔╝╚███╔███╔╝██║███████╗ ██║ ██║ ██║██║ ╚══▀▀═╝ ╚══╝╚══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ <span class="r1">Executive Summary</span> Bestfix from Qwiet AI analyzed scan #3 for the java app QwietAI-java-demo on 2024-09-18. 18 files were analyzed during this scan, and no critical or high vulnerabilities were found. 65 open-source dependencies were also identified in which 0 vulnerabilities were found. Use the information in this report to mitigate the open-source and custom code vulnerabilities and to improve the scan performance. Best OSS Fix Suggestions for QwietAI-java-demo ╔════════════════════════════════════════════════════╤═══════════╤════════════════╤══════════════════╤════════════════╗ ║ Package │ Reachable │ Version │ CVE │ Fix Version(s) ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework/spring-webmvc │ │ 4.3.6.RELEASE │ CVE-2024-38816 │ 5.3.18 ║ ║ │ │ │ CVE-2022-22965 │ 5.2.20 ║ ║ │ │ │ CVE-2018-15756 │ 5.1.1 ║ ║ │ │ │ CVE-2018-1272 │ ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.yaml/snakeyaml │ │ 1.17 │ CVE-2022-25857 │ 2.0 ║ ║ │ │ │ CVE-2022-1471 │ 1.31 ║ ║ │ │ │ CVE-2017-18640 │ 1.26 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework.data/spring-data-commons │ │ 1.13.0.RELEASE │ CVE-2018-1274 │ 2.6.0 ║ ║ │ │ │ CVE-2018-1273 │ 2.0.7 ║ ║ │ │ │ CVE-2018-1259 │ 2.0.5.release ║ ║ │ │ │ │ 1.13.12 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework.boot/spring-boot-starter-web │ │ 1.5.1.RELEASE │ GMS-2022-560 │ 5.3.18 ║ ║ │ │ │ CVE-2022-22965 │ 5.2.20 ║ ║ │ │ │ │ 2.6.6 ║ ║ │ │ │ │ 2.5.12 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework.boot/spring-boot │ │ 1.5.1.RELEASE │ CVE-2022-27772 │ 3.0.1.release ║ ║ │ │ │ CVE-2017-8046 │ 2.6.9.release ║ ║ │ │ │ │ 2.2.11.release ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework.boot/spring-boot-autoconfigure │ │ 1.5.1.RELEASE │ CVE-2023-20883 │ 3.0.7 ║ ║ │ │ │ │ 2.7.12 ║ ║ │ │ │ │ 2.6.15 ║ ║ │ │ │ │ 2.5.15 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework/spring-context │ │ 4.3.6.RELEASE │ CVE-2022-22968 │ 5.3.19 ║ ║ │ │ │ │ 5.2.21 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework/spring-beans │ │ 4.3.6.RELEASE │ GMS-2022-558 │ 5.3.20 ║ ║ │ │ │ CVE-2022-22970 │ 5.3.18 ║ ║ │ │ │ CVE-2022-22965 │ 5.2.22.release ║ ║ │ │ │ │ 5.2.20 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework/spring-web │ │ 4.3.6.RELEASE │ CVE-2024-22262 │ 6.1.6 ║ ║ │ │ │ CVE-2024-22259 │ 6.1.5 ║ ║ │ │ │ CVE-2024-22243 │ 6.1.4 ║ ║ │ │ │ CVE-2018-15756 │ 6.0.19 ║ ║ │ │ │ CVE-2016-1000027 │ 6.0.18 ║ ║ │ │ │ │ 5.3.34 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework/spring-core │ │ 4.3.6.RELEASE │ GMS-2022-559 │ 6.0.8 ║ ║ │ │ │ CVE-2023-20863 │ 5.3.27 ║ ║ │ │ │ CVE-2022-22970 │ 5.3.20 ║ ║ │ │ │ CVE-2022-22968 │ 5.3.19 ║ ║ │ │ │ CVE-2020-5421 │ 5.3.18 ║ ║ │ │ │ CVE-2018-15756 │ 5.2.24.release ║ ║ │ │ │ CVE-2018-1275 │ 5.2.22.release ║ ║ │ │ │ CVE-2018-1272 │ 5.2.21 ║ ║ │ │ │ CVE-2018-1270 │ ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.springframework/spring-expression │ │ 4.3.6.RELEASE │ CVE-2023-20863 │ 6.0.8 ║ ║ │ │ │ │ 5.3.27 ║ ║ │ │ │ │ 5.2.24.release ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.hsqldb/hsqldb │ │ 2.3.3 │ CVE-2022-41853 │ 2.7.1 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.hibernate/hibernate-validator │ │ 5.3.4.Final │ CVE-2017-7536 │ 5.4.2.final ║ ║ │ │ │ │ 5.3.6.final ║ ║ │ │ │ │ 5.2.5.final ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.hibernate/hibernate-core │ │ 5.0.11.Final │ CVE-2020-25638 │ 5.4.24.final ║ ║ │ │ │ │ 5.3.20.final ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.codehaus.jackson/jackson-mapper-asl │ │ 1.5.6 │ CVE-2019-10202 │ ║ ║ │ │ │ CVE-2019-10172 │ ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.apache.tomcat.embed/tomcat-embed-websocket │ │ 8.5.11 │ CVE-2023-46589 │ 10.1.16 ║ ║ │ │ │ CVE-2020-13935 │ 9.0.83 ║ ║ │ │ │ │ 9.0.36 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ org.apache.tomcat.embed/tomcat-embed-core │ │ 8.5.11 │ CVE-2023-46589 │ 9.0.83 ║ ║ │ │ │ CVE-2022-42252 │ 9.0.68 ║ ║ │ │ │ CVE-2022-25762 │ 9.0.45 ║ ║ │ │ │ CVE-2021-41079 │ 9.0.44 ║ ║ │ │ │ CVE-2021-30639 │ 9.0.43 ║ ║ │ │ │ CVE-2021-25329 │ 9.0.40 ║ ║ │ │ │ CVE-2021-25122 │ 9.0.37 ║ ║ │ │ │ CVE-2020-9484 │ 9.0.36 ║ ║ │ │ │ CVE-2020-1938 │ 9.0.35 ║ ║ │ │ │ CVE-2020-17527 │ 9.0.31 ║ ║ │ │ │ CVE-2020-1745 │ 9.0.30 ║ ║ │ │ │ CVE-2020-13935 │ 9.0.29 ║ ║ │ │ │ CVE-2020-13934 │ 9.0.21 ║ ║ │ │ │ CVE-2020-11996 │ 9.0.20 ║ ║ │ │ │ CVE-2019-17563 │ 9.0.17 ║ ║ │ │ │ CVE-2019-12418 │ 9.0.16 ║ ║ │ │ │ CVE-2019-10072 │ 9.0.1 ║ ║ │ │ │ CVE-2019-0232 │ 9.0.0.m21 ║ ║ │ │ │ CVE-2019-0199 │ 9.0.0.m18 ║ ║ │ │ │ CVE-2018-8034 │ 8.5.96 ║ ║ │ │ │ CVE-2018-8014 │ 8.5.76 ║ ║ │ │ │ CVE-2018-1336 │ 8.5.65 ║ ║ │ │ │ CVE-2017-7675 │ 8.5.64 ║ ║ │ │ │ CVE-2017-5664 │ 8.5.63 ║ ║ │ │ │ CVE-2017-5651 │ 8.5.60 ║ ║ │ │ │ CVE-2017-5650 │ 8.5.57 ║ ║ │ │ │ CVE-2017-5648 │ 8.5.56 ║ ║ │ │ │ CVE-2017-12617 │ ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ dom4j/dom4j │ │ 1.6.1 │ CVE-2020-10683 │ 2.1.3 ║ ║ │ │ │ CVE-2018-1000632 │ 2.1.1 ║ ║ │ │ │ │ 2.0.3 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ com.fasterxml.jackson.core/jackson-databind │ │ 2.8.6 │ CVE-2022-42004 │ 2.13.4.1 ║ ║ │ │ │ CVE-2022-42003 │ 2.13.4 ║ ║ │ │ │ CVE-2021-20190 │ 2.12.7.1 ║ ║ │ │ │ CVE-2020-9548 │ 2.12.6.1 ║ ║ │ │ │ CVE-2020-9547 │ 2.12.2.1 ║ ║ │ │ │ CVE-2020-8840 │ 2.10.5.1 ║ ║ │ │ │ CVE-2020-36518 │ 2.9.10.8 ║ ║ │ │ │ CVE-2020-36189 │ 2.9.10.7 ║ ║ │ │ │ CVE-2020-36188 │ 2.9.10.6 ║ ║ │ │ │ CVE-2020-36187 │ 2.9.10.4 ║ ║ │ │ │ CVE-2020-36186 │ 2.9.10.3 ║ ║ │ │ │ CVE-2020-36185 │ 2.9.10.2 ║ ║ │ │ │ CVE-2020-36184 │ 2.9.10.1 ║ ║ │ │ │ CVE-2020-36183 │ 2.9.10 ║ ║ │ │ │ CVE-2020-36182 │ 2.9.9.2 ║ ║ │ │ │ CVE-2020-36181 │ 2.9.9 ║ ║ │ │ │ CVE-2020-36180 │ 2.9.8 ║ ║ │ │ │ CVE-2020-36179 │ 2.9.7 ║ ║ │ │ │ CVE-2020-35728 │ 2.9.6 ║ ║ │ │ │ CVE-2020-35491 │ 2.9.5 ║ ║ │ │ │ CVE-2020-35490 │ 2.9.4 ║ ║ │ │ │ CVE-2020-25649 │ ║ ║ │ │ │ CVE-2020-24750 │ ║ ║ │ │ │ CVE-2020-24616 │ ║ ║ │ │ │ CVE-2020-10673 │ ║ ║ │ │ │ CVE-2020-10650 │ ║ ║ │ │ │ CVE-2019-20330 │ ║ ║ │ │ │ CVE-2019-17531 │ ║ ║ │ │ │ CVE-2019-17267 │ ║ ║ │ │ │ CVE-2019-16943 │ ║ ║ │ │ │ CVE-2019-16942 │ ║ ║ │ │ │ CVE-2019-16335 │ ║ ║ │ │ │ CVE-2019-14892 │ ║ ║ │ │ │ CVE-2019-14540 │ ║ ║ │ │ │ CVE-2019-14439 │ ║ ║ │ │ │ CVE-2019-14379 │ ║ ║ │ │ │ CVE-2019-12086 │ ║ ║ │ │ │ CVE-2018-7489 │ ║ ║ │ │ │ CVE-2018-5968 │ ║ ║ │ │ │ CVE-2018-19362 │ ║ ║ │ │ │ CVE-2018-19361 │ ║ ║ │ │ │ CVE-2018-19360 │ ║ ║ │ │ │ CVE-2018-14721 │ ║ ║ │ │ │ CVE-2018-14720 │ ║ ║ │ │ │ CVE-2018-14719 │ ║ ║ │ │ │ CVE-2018-14718 │ ║ ║ │ │ │ CVE-2018-12023 │ ║ ║ │ │ │ CVE-2018-12022 │ ║ ║ │ │ │ CVE-2018-11307 │ ║ ║ │ │ │ CVE-2017-7525 │ ║ ║ │ │ │ CVE-2017-17485 │ ║ ║ │ │ │ CVE-2017-15095 │ ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ ch.qos.logback/logback-core │ │ 1.1.9 │ CVE-2023-6378 │ 1.4.12 ║ ║ │ │ │ CVE-2017-5929 │ 1.3.12 ║ ║ │ │ │ │ 1.2.13 ║ ║ │ │ │ │ 1.2.0 ║ ╟────────────────────────────────────────────────────┼───────────┼────────────────┼──────────────────┼────────────────╢ ║ ch.qos.logback/logback-classic │ │ 1.1.9 │ CVE-2023-6378 │ 1.4.12 ║ ║ │ │ │ CVE-2017-5929 │ 1.3.12 ║ ║ │ │ │ │ 1.2.13 ║ ║ │ │ │ │ 1.2.0 ║ ╚════════════════════════════════════════════════════╧═══════════╧════════════════╧══════════════════╧════════════════╝ ╭────────────────── Best Fix Suggestions for QwietAI-java-demo ───────────────────╮ │ No critical or high findings found to suggest best fixes for QwietAI-java-demo. │ ╰─────────────────────────────────────────────────────────────────────────────────╯

╭──────────────────────────────────────────────────────────────────────────────────────────────────── Scan Improvements for QwietAI-java-demo (java) ────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ │ │ • CLI: Pass the argument --tag branch=name to populate the branch name in the UI for this app. │ │ • CLI: Pass the argument --vcs-prefix-correction "*=src/main/java" to make the Source Code View work correctly in the UI. │ │ • APP: This is a small app with only 1439 lines of code. │ │ • TOKEN: Use a CI integration token to scan apps with Qwiet AI. Currently scanned with mgomes@qwiet.ai's personal access token. │ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯

github-actions · 2025-01-03T20:21:01Z

Checking analysis of application `QwietAI-MultiLang` against 3 build rules.

Using sl version 0.9.2930 (5abf6e645c197c6b3ae966613424392ebf8b1ae6).

Checking findings on scan 4.

Results per rule:

Allow no critical findings: pass
(0 matched vulnerabilities; configured threshold is 0).

Allow one OSS or container finding: FAIL
(411 matched vulnerabilities; configured threshold is 1).

First 15 findings:

ID	CVSS	Rating	CVE	Title
1_128	10.0	critical	CVE-2018-14721	FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to…
1_335	10.0	critical	GMS-2022-558	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.
1_364	10.0	critical	GMS-2022-559	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-core.
1_375	10.0	critical	GMS-2022-560	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.
1_44	9.8	critical	CVE-2017-5929	QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderC…
2_47	9.8	critical	CVE-2019-10202	A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, …
2_10	9.0	critical	CVE-2021-30139	pkg:pkg/alpine/apk-tools@2.12.3-r0
2_15	9.0	critical	CVE-2021-36159	pkg:pkg/alpine/apk-tools@2.12.3-r0
2_60	9.0	critical	CVE-2022-28391	CVE-2022-28391 affecting package busybox for versions less than 1.36.1-3. A patched version of the package is available.
2_79	9.0	critical	CVE-2021-3711	In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this …
3_31	9.8	critical	CVE-2019-10202	A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, …
3_8	9.0	critical	CVE-2021-30139	pkg:pkg/alpine/apk-tools@2.12.3-r0
3_12	9.0	critical	CVE-2021-36159	pkg:pkg/alpine/apk-tools@2.12.3-r0
3_57	9.0	critical	CVE-2022-28391	CVE-2022-28391 affecting package busybox for versions less than 1.36.1-3. A patched version of the package is available.
3_75	9.0	critical	CVE-2021-3711	In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this …

Severity rating	Count
Critical	66
High	228
Medium	108
Low	9

Finding Type	Count
Oss_vuln	210
Container	201

Allow no reachable OSS vulnerability: FAIL
(46 matched vulnerabilities; configured threshold is 0).

First 5 findings:

ID	CVSS	Rating	CVE	Title
1_272	9.8	critical	CVE-2018-8014	The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insec…
1_281	9.8	critical	CVE-2020-1938	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as ha…
1_284	9.8	critical	CVE-2017-5651	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing.…
1_271	9.1	critical	CVE-2017-5648	While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.R…
1_301	8.6	high	CVE-2022-25762	If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apac…

Severity rating	Count
Critical	4
High	25
Medium	16
Low	1

2 rules failed.

Fixing src/main/java/io/shiftleft/controller/AccountController.java f…

ecc9813

…or finding 14

Fixing src/main/java/io/shiftleft/controller/SearchController.java fo…

fb5e073

…r finding 2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AutoFix PR#59

AutoFix PR#59
ongamse wants to merge 2 commits into
masterfrom
qwietai/autofix/fix0001

ongamse commented Jan 3, 2025 •

edited

Loading

Uh oh!

ongamse commented Jan 3, 2025

Uh oh!

github-actions Bot commented Jan 3, 2025

Uh oh!

ongamse commented Jan 3, 2025

Uh oh!

github-actions Bot commented Jan 3, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

ongamse commented Jan 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Qwiet AI AutoFix

Project Information

Fixes

Uh oh!

ongamse commented Jan 3, 2025

Uh oh!

github-actions Bot commented Jan 3, 2025

Checking analysis of application QwietAI-MultiLang against 3 build rules.

Checking findings on scan 2.

Uh oh!

ongamse commented Jan 3, 2025

Uh oh!

github-actions Bot commented Jan 3, 2025

Checking analysis of application QwietAI-MultiLang against 3 build rules.

Checking findings on scan 4.

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

ongamse commented Jan 3, 2025 •

edited

Loading

Checking analysis of application `QwietAI-MultiLang` against 3 build rules.

Checking analysis of application `QwietAI-MultiLang` against 3 build rules.