New vulns

[PavelLinearB]

Description

A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.

Resolved or fixed issue:

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[jit-ci]

❌ Jit has detected 11 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.

[jit-ci]

Security control: Software Component Analysis Js

Type: Got Allows A Redirect To A Unix Socket

Description: download>got

Severity: HIGH

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[PavelLinearB]

#jit_ignore_fp

[jit-ci]

Security control: Software Component Analysis Js

Type: Regular Expression Denial Of Service In Moment

Description: finale-rest>moment

Severity: HIGH

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Software Component Analysis Js

Type: Regular Expression Denial Of Service (Redos) In Lodash

Description: finale-rest>lodash

Severity: HIGH

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Software Component Analysis Js

Type: Authorization Bypass In Express-Jwt

Description: express-jwt

Severity: HIGH

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Software Component Analysis Js

Type: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage

Description: express-jwt>jsonwebtoken

Severity: HIGH

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Software Component Analysis Js

Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service

Description: download>got>cacheable-request>http-cache-semantics

Severity: HIGH

Learn more about this issue

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Static Code Analysis Js

Type: Codsec.Javascriptnosql-Injection.Nosql-Injection

Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.

Severity: HIGH

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Secret Detection

Type: Private-Key

Description: Private Key

Severity: HIGH

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Secret Detection

Type: Generic-Api-Key

Description: Generic API Key

Severity: HIGH

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

Security control: Docker Scan

Type: Image User Should Not Be 'Root'

Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

Severity: HIGH

Learn more about this issue

Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

• First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:
  • If a non-root user already exists in your container, consider using it.
  • If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.

Suggested change

	FROM alpine
	FROM alpine
	RUN addgroup --system <group>
	RUN adduser --system <user> --ingroup <group>
	USER <user>:<group>

---

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

• #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
• #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
• #jit_undo_ignore Undo ignore command

[jit-ci]

❌ Jit has detected 10 important findings in this PR that you should review.
The findings are detailed as separate comments.
It’s highly recommended that you fix these security issues before merge.

Until now, you ignored/fixed 1 finding.

[gitstream-cm]

PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"\n\n 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n### Coverage and Duplications\n\n No Coverage information \n 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"gitStream.cm","status":"COMPLETED","summary":"SecurityManager/debug, SecurityManager/Security_comment, jit-and-sonar/mark_security_hotspots, jit-and-sonar/jit_vulns, jit-and-sonar/jit_secretss","title":"SecurityManager/debug, SecurityManager/Security_comment, jit-and-sonar/mark_security_hotspots, jit-and-sonar/jit_vulns, jit-and-sonar/jit_secretss","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Comment added","title":"Comment added","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Reviewers assigned: Dudu-linb","title":"Reviewers assigned: Dudu-linb","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"🤫 PR with secrets","title":"🤫 PR with secrets","text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:10Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [ ] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}

[gitstream-cm]

This PR failed due to High severity vulnerability finding, if you don't fix it please select:

• I need help with that fix.
• I want to accept the risk, please approve.
• This is false positive, please approve.
• This is a test / simulator environment, please exclude.

[gitstream-cm]

PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"\n\n 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n### Coverage and Duplications\n\n No Coverage information \n 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"gitStream.cm","status":"IN_PROGRESS","summary":null,"title":null,"text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:42Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [ ] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]},{"commenter":"PavelLinearB","content":"","state":"commented","conversations":[{"commenter":"PavelLinearB","content":"#jit_ignore_fp","created_at":"2023-06-06T10:28:41Z","state":"submitted","id":1219378096}]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"PavelLinearB","content":"#jit_ignore_fp","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}

[gitstream-cm]

PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"\n\n 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n### Coverage and Duplications\n\n No Coverage information \n 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"gitStream.cm","status":"IN_PROGRESS","summary":null,"title":null,"text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:56Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [x] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]},{"commenter":"PavelLinearB","content":"","state":"commented","conversations":[{"commenter":"PavelLinearB","content":"#jit_ignore_fp","created_at":"2023-06-06T10:28:41Z","state":"submitted","id":1219378096}]},{"commenter":"jit-ci","content":"❌ Jit has detected 10 important findings in this PR that you should review.\n_The findings are detailed as separate comments.\n_It’s highly recommended that you fix these security issues before merge.\n\nUntil now, you ignored/fixed 1 finding.","state":"commented","conversations":[]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"PavelLinearB","content":"#jit_ignore_fp","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n

\n

Jit Bot commands and options (e.g., ignore issue)

\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n

\n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}

[sonarcloud]

SonarCloud Quality Gate failed.   

0 Bugs
0 Vulnerabilities
2 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication