Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Jwt-scala
- Lang
- Correctness
- Security
- Play
- Scala-jwt
- Slick
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Audit
Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Scala applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-489: Active Debug Code
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
Document Builder being instantiated without calling the setFeature functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
Flags cases of possible path traversal. If an unfiltered parameter is passed into ‘fromFile’, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
A parameter being passed directly into url most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (connection.PreparedStatement) or a safe library.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with OAEPWithMD5AndMGF1Padding instead.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures
A parameter being passed directly into Http most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
eval() function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it’s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
Flags the use of a predictable random value from scala.util.Random. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-330: Use of Insufficiently Random Values
OWASP:
- A02:2021 - Cryptographic Failures
A parameter being passed directly into fromURL most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use Seq(...) for dynamically generated commands.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
XML processor being instantiated without calling the setFeature functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration