CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
      • Jwt-scala
      • Lang
        • Correctness
        • Security
          • Audit
      • Play
      • Scala-jwt
      • Slick
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Security

Audit

dangerous-shell-run

Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

scalac-debug

Scala applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Remove it from configuration.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-489: Active Debug Code
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-

- -
-

- S
- e
- c
- u
- r
- i
- t
- y
-

- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n

documentbuilder-dtd-enabled

Document Builder being instantiated without calling the setFeature functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

path-traversal-fromfile

Flags cases of possible path traversal. If an unfiltered parameter is passed into ‘fromFile’, file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control

xmlinputfactory-dtd-enabled

XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Likelihood: LOW
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration

dispatch-ssrf

A parameter being passed directly into url most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)

tainted-sql-string

User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (connection.PreparedStatement) or a safe library.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

rsa-padding-set

Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with OAEPWithMD5AndMGF1Padding instead.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures

scalaj-http-ssrf

A parameter being passed directly into Http most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)

scalajs-eval

eval() function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use eval(). Do not use eval(). Alternatively: Ensure evaluated content is not definable by external sources. If it’s not possible, strip everything except alphanumeric characters from an input provided for the command string and arguments.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection

insecure-random

Flags the use of a predictable random value from scala.util.Random. This can lead to vulnerabilities when used in security contexts, such as in a CSRF token, password reset token, or any other secret value. To fix this, use java.security.SecureRandom instead.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-330: Use of Insufficiently Random Values
OWASP:
- A02:2021 - Cryptographic Failures

io-source-ssrf

A parameter being passed directly into fromURL most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server runnig this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)

dangerous-seq-run

Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

scala-dangerous-process-run

Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use Seq(...) for dynamically generated commands.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection

sax-dtd-enabled

XML processor being instantiated without calling the setFeature functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.
Likelihood: MEDIUM
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
CorrectnessSecurity
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.