New vulns #2 #10
New vulns #2 #10
Conversation
![jit-ci[bot]](https://avatars.githubusercontent.com/in/142441?s=60&v=4){kind=small}
| "express-rate-limit": "^5.3.0", | ||
| "express-robots-txt": "^0.4.1", | ||
| "express-security.txt": "^2.0.0", | ||
| "feature-policy": "^0.5.0", | ||
| "file-stream-rotator": "^0.5.7", | ||
| "file-type": "^16.1.0", | ||
| "filesniffer": "^1.0.3", | ||
| "finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service (Redos) In Lodash
Description: finale-rest>lodash
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service
Description: download>got>cacheable-request>http-cache-semantics
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage
Description: express-jwt>jsonwebtoken
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Authorization Bypass In Express-Jwt
Description: express-jwt
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Forgeable Public/Private Tokens In Jws
Description: express-jwt>jsonwebtoken>jws
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "express-rate-limit": "^5.3.0", | ||
| "express-robots-txt": "^0.4.1", | ||
| "express-security.txt": "^2.0.0", | ||
| "feature-policy": "^0.5.0", | ||
| "file-stream-rotator": "^0.5.7", | ||
| "file-type": "^16.1.0", | ||
| "filesniffer": "^1.0.3", | ||
| "finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: finale-rest>moment
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
| { $set: { message: req.body.message } }, | ||
| { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge | ||
| ).then( |
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -20,6 +20,7 @@ import * as utils from './utils' | |||
| import * as z85 from 'z85' | |||
|
|
|||
| export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' | |||
| const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' | |||
There was a problem hiding this comment.
Security control: Secret Detection
Type: Private-Key
Description: Private Key
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -147,6 +147,8 @@ | |||
| email: wurstbrot | |||
| username: wurstbrot | |||
| password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' | |||
| totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH | |||
| key: timo | |||
There was a problem hiding this comment.
Security control: Secret Detection
Type: Generic-Api-Key
Description: Generic API Key
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -1,3 +1,4 @@ | |||
| FROM alpine | |||
There was a problem hiding this comment.
Security control: Docker Scan
Type: Image User Should Not Be 'Root'
Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
- First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this:
docker run <image> whoami. If it returnsroot, then you should consider using a non-root user, by following one of the next steps:- If a non-root user already exists in your container, consider using it.
- If not, you can create a new user by adding a
USERcommand to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>.
| FROM alpine | |
| FROM alpine | |
| RUN addgroup --system <group> | |
| RUN adduser --system <user> --ingroup <group> | |
| USER <user>:<group> | |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
PavelLinearB
force-pushed
the
new-vulns-#2
branch
from
7b0161a
to
0e68d16
Compare
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service
Description: download>got>cacheable-request>http-cache-semantics
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "express-rate-limit": "^5.3.0", | ||
| "express-robots-txt": "^0.4.1", | ||
| "express-security.txt": "^2.0.0", | ||
| "feature-policy": "^0.5.0", | ||
| "file-stream-rotator": "^0.5.7", | ||
| "file-type": "^16.1.0", | ||
| "filesniffer": "^1.0.3", | ||
| "finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: finale-rest>moment
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Got Allows A Redirect To A Unix Socket
Description: download>got
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage
Description: express-jwt>jsonwebtoken
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Authorization Bypass In Express-Jwt
Description: express-jwt
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -20,6 +20,7 @@ import * as utils from './utils' | |||
| import * as z85 from 'z85' | |||
|
|
|||
| export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' | |||
| const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' | |||
There was a problem hiding this comment.
Security control: Secret Detection
Type: Private-Key
Description: Private Key
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -147,6 +147,8 @@ | |||
| email: wurstbrot | |||
| username: wurstbrot | |||
| password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' | |||
| totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH | |||
| key: timo | |||
There was a problem hiding this comment.
Security control: Secret Detection
Type: Generic-Api-Key
Description: Generic API Key
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| { _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
| { $set: { message: req.body.message } }, | ||
| { multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge | ||
| ).then( |
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -15,7 +15,7 @@ module.exports = function productReviews () { | |||
| return (req: Request, res: Response, next: NextFunction) => { | |||
| const id = req.body.id | |||
| const user = security.authenticatedUsers.from(req) | |||
| db.reviews.findOne({ _id: "a" }).then((review: Review) => { | |||
| db.reviews.findOne({ _id: id }).then((review: Review) => { | |||
There was a problem hiding this comment.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -1,3 +1,4 @@ | |||
| FROM alpine | |||
There was a problem hiding this comment.
Security control: Docker Scan
Type: Image User Should Not Be 'Root'
Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
- First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this:
docker run <image> whoami. If it returnsroot, then you should consider using a non-root user, by following one of the next steps:- If a non-root user already exists in your container, consider using it.
- If not, you can create a new user by adding a
USERcommand to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>.
| FROM alpine | |
| FROM alpine | |
| RUN addgroup --system <group> | |
| RUN adduser --system <user> --ingroup <group> | |
| USER <user>:<group> | |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md Update README.md
PavelLinearB
force-pushed
the
new-vulns-#2
branch
from
4d9c8e2
to
327b2b8
Compare
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service
Description: download>got>cacheable-request>http-cache-semantics
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "express-rate-limit": "^5.3.0", | ||
| "express-robots-txt": "^0.4.1", | ||
| "express-security.txt": "^2.0.0", | ||
| "feature-policy": "^0.5.0", | ||
| "file-stream-rotator": "^0.5.7", | ||
| "file-type": "^16.1.0", | ||
| "filesniffer": "^1.0.3", | ||
| "finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: finale-rest>moment
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| @@ -119,17 +119,20 @@ | |||
| "cookie-parser": "^1.4.5", | |||
| "cors": "^2.8.5", | |||
| "dottie": "^2.0.2", | |||
| "download": "^8.0.0", | |||
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Got Allows A Redirect To A Unix Socket
Description: download>got
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage
Description: express-jwt>jsonwebtoken
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Authorization Bypass In Express-Jwt
Description: express-jwt
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: express-jwt>jsonwebtoken>moment
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "errorhandler": "^1.5.1", | ||
| "exif": "^0.6.0", | ||
| "express": "^4.17.1", | ||
| "express-ipfilter": "^1.2.0", | ||
| "express-jwt": "0.1.3", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Forgeable Public/Private Tokens In Jws
Description: express-jwt>jsonwebtoken>jws
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
| "express-rate-limit": "^5.3.0", | ||
| "express-robots-txt": "^0.4.1", | ||
| "express-security.txt": "^2.0.0", | ||
| "feature-policy": "^0.5.0", | ||
| "file-stream-rotator": "^0.5.7", | ||
| "file-type": "^16.1.0", | ||
| "filesniffer": "^1.0.3", | ||
| "finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service (Redos) In Lodash
Description: finale-rest>lodash
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fpIgnore and mark this specific single instance of finding as “False Positive”#jit_ignore_acceptIgnore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignoreUndo ignore command
|
Please retry analysis of this Pull-Request directly on SonarCloud. |
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolved or fixed issue:
Affirmation