CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
        • Android
        • Aws-lambda
        • Castor
        • Java-jwt
        • Jax-rs
        • Jboss
        • Jdo
        • Jedis
        • Jjwt
        • Jsch
        • Kryo
        • Lang
          • Audit
          • Correctness
          • Security
          • Security
        • Micronaut
        • Mongo
        • Mongodb
        • Mysql
        • Okhttp
        • Rmi
        • Servlets
        • Spring
        • Thymeleaf
        • Xstream
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Lang

    Security

    xmlinputfactory-possible-xxe

    XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting “javax.xml.stream.isSupportingExternalEntities” to false.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-611: Improper Restriction of XML External Entity Reference
    OWASP:
    - A04:2017 - XML External Entities (XXE)
    - A05:2021 - Security Misconfiguration

    do-privileged-use

    Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-269: Improper Privilege Management
    OWASP:
    - A04:2021 - Insecure Design

    httpservlet-path-traversal

    Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with ’../’. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(…) to only retrieve the file name from the path.
    Likelihood: HIGH
    Confidence: MEDIUM
    CWE:
    - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
    OWASP:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control

    jackson-unsafe-deserialization

    When using Jackson to marshall/unmarshall JSON to Java objects, enabling default typing is dangerous and can lead to RCE. If an attacker can control $JSON it might be possible to provide a malicious JSON which can be used to exploit unsecure deserialization. In order to prevent this issue, avoid to enable default typing (globally or by using “Per-class” annotations) and avoid using Object and other dangerous types for member variable declaration which creating classes for Jackson based deserialization.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A8:2017 Insecure Deserialization
    - A8:2021 Software and Data Integrity Failures

    insecure-jms-deserialization

    JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures

    servletresponse-writer-xss

    Cross-site scripting detected in HttpServletResponse writer with variable ‘VAR′.UserinputwasdetectedgoingdirectlyfromtheHttpServletRequestintooutput.Ensureyourdataisproperlyencodedusingorg.owasp.encoder.Encode.forHtml:′Encode.forHtml(VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml(VAR′.UserinputwasdetectedgoingdirectlyfromtheHttpServletRequestintooutput.Ensureyourdataisproperlyencodedusingorg.owasp.encoder.Encode.forHtml:′Encode.forHtml(VAR)’.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
    OWASP:
    - A07:2017 - Cross-Site Scripting (XSS)
    - A03:2021 - Injection

    xmlinputfactory-external-entities-enabled

    XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting “javax.xml.stream.isSupportingExternalEntities” to false.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-611: Improper Restriction of XML External Entity Reference
    OWASP:
    - A04:2017 - XML External Entities (XXE)
    - A05:2021 - Security Misconfiguration

    use-snakeyaml-constructor

    Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(…) constructor instead, with SafeConstructor or a custom Constructor as the argument.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-502: Deserialization of Untrusted Data
    OWASP:
    - A08:2017 - Insecure Deserialization
    - A08:2021 - Software and Data Integrity Failures

    CorrectnessAudit
    twitterlinkedin
    Powered by Mintlify
    Assistant
    Responses are generated using AI and may contain mistakes.